Merge branch 'gitlab-contrib/omnibus-gitlab-1485-include-policycoreutils-semanage'

MR: https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/1886

CHANGELOG.md

@@ -5,6 +5,7 @@ omnibus-gitlab repository.
 
 10.0.0
 
+- Use semanage instead of chcon for setting SELinux security contexts (Elliot Wright)
 - Add option to override the hostname for remote syslog
 - Add backup_timeout argument to geo db replication command
 - Remove sensitive params from the NGINX access logs 6983fe59

config/projects/gitlab.rb

@@ -66,6 +66,8 @@ else
   runtime_dependency 'openssh-server'
 end
 
+runtime_dependency 'policycoreutils-python' if rhel?
+
 # creates required build directories
 dependency 'preparation'
 dependency 'package-scripts'

doc/common_installation_problems/README.md

@@ -99,7 +99,7 @@ To troubleshoot this error:
     ```
     $ sudo systemctl restart gitlab-runsvdir
     ```
-    
+
     Using upstart (Ubuntu <= 14.04):
 
     ```
@@ -162,9 +162,14 @@ For Nginx port changes please see [settings/nginx.md](../settings/nginx.md).
 
 On SELinux-enabled systems the git user's `.ssh` directory or its contents can
 get their security context messed up. You can fix this by running `sudo
-gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
+gitlab-ctl reconfigure`, which will set the `ssh_home_t` security context on
 `/var/opt/gitlab/.ssh`.
 
+In GitLab 10.0 this behavior was improved by setting the context permanently using
+`semanage`. The runtime dependency `policycoreutils-python` has been added to the
+RPM package for RHEL based operating systems in order to ensure the `semanage`
+command is available.
+
 #### All systems
 
 The git user is created, by default, with a locked password, shown by `'!'` in
@@ -206,7 +211,7 @@ Run `sudo gitlab-ctl reconfigure` for the change to take effect.
 ### Postgres error 'FATAL:  could not open shared memory segment "/PostgreSQL.XXXXXXXXXX": Permission denied'
 By default, Postgres will try to detect the shared memory type to use. If you don't
 have shared memory enabled, you might see this error in `/var/log/gitlab/postgresql/current`.
-To fix this, you can disable postgresql's shared memory detection. Set the 
+To fix this, you can disable postgresql's shared memory detection. Set the
 following value in `/etc/gitlab/gitlab.rb`:
 
 ```ruby

files/gitlab-cookbooks/gitlab/recipes/gitlab-shell.rb

@@ -121,8 +121,10 @@ end
 # git_user is valid.
 bash "Set proper security context on ssh files for selinux" do
   code <<-EOS
-    chcon --recursive --type ssh_home_t #{ssh_dir}
-    chcon --type sshd_key_t #{authorized_keys}
+    semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'
+    semanage fcontext -a -t ssh_home_t '#{authorized_keys}'
+    restorecon -R -v '#{ssh_dir}'
+    restorecon -v '#{authorized_keys}'
   EOS
   only_if "id -Z"
 end

spec/chef/recipes/gitlab-shell_spec.rb

@@ -14,7 +14,7 @@ describe 'gitlab::gitlab-shell' do
   context 'when NOT running on selinux' do
     before { stub_command('id -Z').and_return(false) }
 
-    it 'should not run the chcon bash command' do
+    it 'should not run the semanage bash command' do
       expect(chef_run).not_to run_bash('Set proper security context on ssh files for selinux')
     end
   end
@@ -22,7 +22,7 @@ describe 'gitlab::gitlab-shell' do
   context 'when running on selinux' do
     before { stub_command('id -Z').and_return('') }
 
-    it 'should run the chcon bash command' do
+    it 'should run the semanage bash command' do
       expect(chef_run).to run_bash('Set proper security context on ssh files for selinux')
     end
   end