Merge branch 'gitlab-selinux' into 'master'

Give ssh-keygen SELinux rights to read tempfiles Thanks to @tinuva for finding the solution [1] to this problem and to @axil for his nice blog post about GitLab and audit2allow [2]. [1]: https://github.com/gitlabhq/gitlabhq/issues/7413#issuecomment-53181049 [2]: http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/ See merge request !193

Merge branch 'gitlab-selinux' into 'master'
Give ssh-keygen SELinux rights to read tempfiles Thanks to @tinuva for finding the solution [1] to this problem and to @axil for his nice blog post about GitLab and audit2allow [2]. [1]: https://github.com/gitlabhq/gitlabhq/issues/7413#issuecomment-53181049 [2]: http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/ See merge request !193
Jacob Vosmaer
2 parents dc88484f 75e25d62
Showing 9 changed files with 80 additions and 0 deletions Show diff stats
CHANGELOG
README.md
config/projects/gitlab.rb
config/software/gitlab-selinux.rb
files/gitlab-cookbooks/gitlab/recipes/default.rb
files/gitlab-cookbooks/gitlab/recipes/selinux.rb
files/gitlab-selinux/README.md
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te
@@ -5,6 +5,7 @@ omnibus-gitlab repository.
  
 7.3.0
 - Add systemd support for Centos 7
+- Add a Centos 7 SELinux module for ssh-keygen permissions
  
 7.2.0
 - Pass environment variables to Unicorn and Sidekiq (Chris Portman)
@@ -572,6 +572,10 @@ The correct operation of Git access via SSH depends on the labeling of
 `/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
 `sudo gitlab-ctl reconfigure`.
  
+Depending on your platform, `gitlab-ctl reconfigure` will install SELinux
+modules required to make GitLab work. These modules are listed in
+[files/gitlab-selinux/README.md](files/gitlab-selinux/README.md).
+
 ## Logs
  
 ### Tail logs in a console on the server
@@ -43,6 +43,7 @@ dependency &quot;gitlab-rails&quot;
 dependency "gitlab-shell"
 dependency "gitlab-ctl"
 dependency "gitlab-cookbooks"
+dependency "gitlab-selinux"
  
 # version manifest file
 dependency "version-manifest"
@@ -0,0 +1,29 @@
+#
+# Copyright:: Copyright (c) 2014 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name "gitlab-selinux"
+
+dependency "rsync"
+
+always_build true
+
+source :path => File.expand_path("files/gitlab-selinux", Config.project_root)
+
+build do
+  command "mkdir -p #{install_dir}/embedded/selinux"
+  command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/"
+end
@@ -48,6 +48,7 @@ end
 include_recipe "gitlab::users"
 include_recipe "gitlab::gitlab-shell"
 include_recipe "gitlab::gitlab-rails"
+include_recipe "gitlab::selinux"
  
 # Create dummy unicorn and sidekiq services to receive notifications, in case
 # the corresponding service recipe is not loaded below.
@@ -0,0 +1,23 @@
+#
+# Copyright:: Copyright (c) 2014 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./
+  ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
+  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
+    not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'"
+  end
+end
@@ -0,0 +1,10 @@
+# SELinux modules for GitLab
+
+## RHEL / Centos 7
+
+rhel/7/gitlab-7.2.0-ssh-keygen.pp
+
+GitLab handles SSH public keys and we want to verify whether users input valid
+SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
+from standard input, we need to create a temporary file. This SELinux module
+gives ssh-keygen permission to read the temporary file we create for it.
@@ -0,0 +1,11 @@
+
+module gitlab-7.2.0-ssh-keygen 1.0;
+
+require {
+	type ssh_keygen_t;
+	type init_tmp_t;
+	class file open;
+}
+
+#============= ssh_keygen_t ==============
+allow ssh_keygen_t init_tmp_t:file open;
...	...	@@ -5,6 +5,7 @@ omnibus-gitlab repository.
5	5
6	6	7.3.0
7	7	- Add systemd support for Centos 7
	8	+- Add a Centos 7 SELinux module for ssh-keygen permissions
8	9
9	10	7.2.0
10	11	- Pass environment variables to Unicorn and Sidekiq (Chris Portman)
...	...
...	...	@@ -572,6 +572,10 @@ The correct operation of Git access via SSH depends on the labeling of
572	572	`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
573	573	`sudo gitlab-ctl reconfigure`.
574	574
	575	+Depending on your platform, `gitlab-ctl reconfigure` will install SELinux
	576	+modules required to make GitLab work. These modules are listed in
	577	+[files/gitlab-selinux/README.md](files/gitlab-selinux/README.md).
	578	+
575	579	## Logs
576	580
577	581	### Tail logs in a console on the server
...	...
...	...	@@ -43,6 +43,7 @@ dependency "gitlab-rails"
43	43	dependency "gitlab-shell"
44	44	dependency "gitlab-ctl"
45	45	dependency "gitlab-cookbooks"
	46	+dependency "gitlab-selinux"
46	47
47	48	# version manifest file
48	49	dependency "version-manifest"
...	...
...	...	@@ -0,0 +1,29 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2014 GitLab B.V.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+name "gitlab-selinux"
	19	+
	20	+dependency "rsync"
	21	+
	22	+always_build true
	23	+
	24	+source :path => File.expand_path("files/gitlab-selinux", Config.project_root)
	25	+
	26	+build do
	27	+ command "mkdir -p #{install_dir}/embedded/selinux"
	28	+ command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/"
	29	+end
...	...
...	...	@@ -48,6 +48,7 @@ end
48	48	include_recipe "gitlab::users"
49	49	include_recipe "gitlab::gitlab-shell"
50	50	include_recipe "gitlab::gitlab-rails"
	51	+include_recipe "gitlab::selinux"
51	52
52	53	# Create dummy unicorn and sidekiq services to receive notifications, in case
53	54	# the corresponding service recipe is not loaded below.
...	...
...	...	@@ -0,0 +1,23 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2014 GitLab B.V.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./
	19	+ ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
	20	+ execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
	21	+ not_if "semodule -l \| grep '^#{ssh_keygen_module}\\s'"
	22	+ end
	23	+end
...	...
...	...	@@ -0,0 +1,10 @@
	1	+# SELinux modules for GitLab
	2	+
	3	+## RHEL / Centos 7
	4	+
	5	+rhel/7/gitlab-7.2.0-ssh-keygen.pp
	6	+
	7	+GitLab handles SSH public keys and we want to verify whether users input valid
	8	+SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
	9	+from standard input, we need to create a temporary file. This SELinux module
	10	+gives ssh-keygen permission to read the temporary file we create for it.
...	...
...	...	@@ -0,0 +1,11 @@
	1	+
	2	+module gitlab-7.2.0-ssh-keygen 1.0;
	3	+
	4	+require {
	5	+ type ssh_keygen_t;
	6	+ type init_tmp_t;
	7	+ class file open;
	8	+}
	9	+
	10	+#============= ssh_keygen_t ==============
	11	+allow ssh_keygen_t init_tmp_t:file open;
...	...