diff --git a/CHANGELOG b/CHANGELOG index 3eaf44d..0173422 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,7 @@ omnibus-gitlab repository. 7.3.0 - Add systemd support for Centos 7 +- Add a Centos 7 SELinux module for ssh-keygen permissions 7.2.0 - Pass environment variables to Unicorn and Sidekiq (Chris Portman) diff --git a/config/projects/gitlab.rb b/config/projects/gitlab.rb index e262a34..de6b4ff 100644 --- a/config/projects/gitlab.rb +++ b/config/projects/gitlab.rb @@ -43,6 +43,7 @@ dependency "gitlab-rails" dependency "gitlab-shell" dependency "gitlab-ctl" dependency "gitlab-cookbooks" +dependency "gitlab-selinux" # version manifest file dependency "version-manifest" diff --git a/config/software/gitlab-selinux.rb b/config/software/gitlab-selinux.rb new file mode 100644 index 0000000..145c88f --- /dev/null +++ b/config/software/gitlab-selinux.rb @@ -0,0 +1,29 @@ +# +# Copyright:: Copyright (c) 2014 GitLab B.V. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name "gitlab-selinux" + +dependency "rsync" + +always_build true + +source :path => File.expand_path("files/gitlab-selinux", Config.project_root) + +build do + command "mkdir -p #{install_dir}/embedded/selinux" + command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/" +end diff --git a/files/gitlab-cookbooks/gitlab/recipes/default.rb b/files/gitlab-cookbooks/gitlab/recipes/default.rb index 178c477..3b05488 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/default.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/default.rb @@ -48,6 +48,7 @@ end include_recipe "gitlab::users" include_recipe "gitlab::gitlab-shell" include_recipe "gitlab::gitlab-rails" +include_recipe "gitlab::selinux" # Create dummy unicorn and sidekiq services to receive notifications, in case # the corresponding service recipe is not loaded below. diff --git a/files/gitlab-cookbooks/gitlab/recipes/selinux.rb b/files/gitlab-cookbooks/gitlab/recipes/selinux.rb new file mode 100644 index 0000000..2ce9ca9 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/recipes/selinux.rb @@ -0,0 +1,23 @@ +# +# Copyright:: Copyright (c) 2014 GitLab B.V. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./ + ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen' + execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do + not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'" + end +end diff --git a/files/gitlab-selinux/README.md b/files/gitlab-selinux/README.md new file mode 100644 index 0000000..5e826c8 --- /dev/null +++ b/files/gitlab-selinux/README.md @@ -0,0 +1,10 @@ +# SELinux modules for GitLab + +## RHEL / Centos 7 + +rhel/7/gitlab-7.2.0-ssh-keygen.pp + +GitLab handles SSH public keys and we want to verify whether users input valid +SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input +from standard input, we need to create a temporary file. This SELinux module +gives ssh-keygen permission to read the temporary file we create for it. diff --git a/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp b/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp new file mode 100644 index 0000000..d54e945 Binary files /dev/null and b/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp differ diff --git a/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te b/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te new file mode 100644 index 0000000..e5b17ee --- /dev/null +++ b/files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te @@ -0,0 +1,11 @@ + +module gitlab-7.2.0-ssh-keygen 1.0; + +require { + type ssh_keygen_t; + type init_tmp_t; + class file open; +} + +#============= ssh_keygen_t ============== +allow ssh_keygen_t init_tmp_t:file open; -- libgit2 0.21.2