Download as
Browse Code »

Commit 89bc0bf45a2728c54cb7dd36cb2b993c622aedb0

Authored by Jacob Vosmaer
1 parent dc88484f
Exists in master and in 2 other branches 7-2-stable, 7-2-stable-ee

Give ssh-keygen SELinux rights to read tempfiles 

This commit adds an SELinux module for Centos 7 that enables ssh-keygen
to read the temporary files GitLab creates for it.
Showing 8 changed files with 76 additions and 0 deletions   Show diff stats
@@ -5,6 +5,7 @@ omnibus-gitlab repository. @@ -5,6 +5,7 @@ omnibus-gitlab repository.
5 5
6 7.3.0 6 7.3.0
7 - Add systemd support for Centos 7 7 - Add systemd support for Centos 7
  8 +- Add a Centos 7 SELinux module for ssh-keygen permissions
8 9
9 7.2.0 10 7.2.0
10 - Pass environment variables to Unicorn and Sidekiq (Chris Portman) 11 - Pass environment variables to Unicorn and Sidekiq (Chris Portman)
config/projects/gitlab.rb
  Diff comments   View file @89bc0bf
@@ -43,6 +43,7 @@ dependency "gitlab-rails" @@ -43,6 +43,7 @@ dependency "gitlab-rails"
43 dependency "gitlab-shell" 43 dependency "gitlab-shell"
44 dependency "gitlab-ctl" 44 dependency "gitlab-ctl"
45 dependency "gitlab-cookbooks" 45 dependency "gitlab-cookbooks"
  46 +dependency "gitlab-selinux"
46 47
47 # version manifest file 48 # version manifest file
48 dependency "version-manifest" 49 dependency "version-manifest"
config/software/gitlab-selinux.rb 0 → 100644
  Diff comments   View file @89bc0bf
@@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
  1 +#
  2 +# Copyright:: Copyright (c) 2014 GitLab B.V.
  3 +# License:: Apache License, Version 2.0
  4 +#
  5 +# Licensed under the Apache License, Version 2.0 (the "License");
  6 +# you may not use this file except in compliance with the License.
  7 +# You may obtain a copy of the License at
  8 +#
  9 +# http://www.apache.org/licenses/LICENSE-2.0
  10 +#
  11 +# Unless required by applicable law or agreed to in writing, software
  12 +# distributed under the License is distributed on an "AS IS" BASIS,
  13 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 +# See the License for the specific language governing permissions and
  15 +# limitations under the License.
  16 +#
  17 +
  18 +name "gitlab-selinux"
  19 +
  20 +dependency "rsync"
  21 +
  22 +always_build true
  23 +
  24 +source :path => File.expand_path("files/gitlab-selinux", Config.project_root)
  25 +
  26 +build do
  27 + command "mkdir -p #{install_dir}/embedded/selinux"
  28 + command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/"
  29 +end
files/gitlab-cookbooks/gitlab/recipes/default.rb
  Diff comments   View file @89bc0bf
@@ -48,6 +48,7 @@ end @@ -48,6 +48,7 @@ end
48 include_recipe "gitlab::users" 48 include_recipe "gitlab::users"
49 include_recipe "gitlab::gitlab-shell" 49 include_recipe "gitlab::gitlab-shell"
50 include_recipe "gitlab::gitlab-rails" 50 include_recipe "gitlab::gitlab-rails"
  51 +include_recipe "gitlab::selinux"
51 52
52 # Create dummy unicorn and sidekiq services to receive notifications, in case 53 # Create dummy unicorn and sidekiq services to receive notifications, in case
53 # the corresponding service recipe is not loaded below. 54 # the corresponding service recipe is not loaded below.
files/gitlab-cookbooks/gitlab/recipes/selinux.rb 0 → 100644
  Diff comments   View file @89bc0bf
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
  1 +#
  2 +# Copyright:: Copyright (c) 2014 GitLab B.V.
  3 +# License:: Apache License, Version 2.0
  4 +#
  5 +# Licensed under the Apache License, Version 2.0 (the "License");
  6 +# you may not use this file except in compliance with the License.
  7 +# You may obtain a copy of the License at
  8 +#
  9 +# http://www.apache.org/licenses/LICENSE-2.0
  10 +#
  11 +# Unless required by applicable law or agreed to in writing, software
  12 +# distributed under the License is distributed on an "AS IS" BASIS,
  13 +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 +# See the License for the specific language governing permissions and
  15 +# limitations under the License.
  16 +#
  17 +
  18 +if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./
  19 + ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
  20 + execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
  21 + not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'"
  22 + end
  23 +end
files/gitlab-selinux/README.md 0 → 100644
  Diff comments   View file @89bc0bf
@@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
  1 +# SELinux modules for GitLab
  2 +
  3 +## RHEL / Centos 7
  4 +
  5 +rhel/7/gitlab-7.2.0-ssh-keygen.pp
  6 +
  7 +GitLab handles SSH public keys and we want to verify whether users input valid
  8 +SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
  9 +from standard input, we need to create a temporary file. This SELinux module
  10 +gives ssh-keygen permission to read the temporary file we create for it.
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp 0 → 100644
View file @89bc0bf
No preview for this file type
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te 0 → 100644
  Diff comments   View file @89bc0bf
@@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
  1 +
  2 +module gitlab-7.2.0-ssh-keygen 1.0;
  3 +
  4 +require {
  5 + type ssh_keygen_t;
  6 + type init_tmp_t;
  7 + class file open;
  8 +}
  9 +
  10 +#============= ssh_keygen_t ==============
  11 +allow ssh_keygen_t init_tmp_t:file open;