Commit 9802495704223a4f08f40641a73f24ad7e6d1b73
Exists in
master
and in
2 other branches
Merge branch 'gitlab-selinux' into 'master'
Give ssh-keygen SELinux rights to read tempfiles Thanks to @tinuva for finding the solution [1] to this problem and to @axil for his nice blog post about GitLab and audit2allow [2]. [1]: https://github.com/gitlabhq/gitlabhq/issues/7413#issuecomment-53181049 [2]: http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/ See merge request !193
Showing
9 changed files
with
80 additions
and
0 deletions
Show diff stats
CHANGELOG
README.md
... | ... | @@ -572,6 +572,10 @@ The correct operation of Git access via SSH depends on the labeling of |
572 | 572 | `/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running |
573 | 573 | `sudo gitlab-ctl reconfigure`. |
574 | 574 | |
575 | +Depending on your platform, `gitlab-ctl reconfigure` will install SELinux | |
576 | +modules required to make GitLab work. These modules are listed in | |
577 | +[files/gitlab-selinux/README.md](files/gitlab-selinux/README.md). | |
578 | + | |
575 | 579 | ## Logs |
576 | 580 | |
577 | 581 | ### Tail logs in a console on the server | ... | ... |
config/projects/gitlab.rb
... | ... | @@ -0,0 +1,29 @@ |
1 | +# | |
2 | +# Copyright:: Copyright (c) 2014 GitLab B.V. | |
3 | +# License:: Apache License, Version 2.0 | |
4 | +# | |
5 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
6 | +# you may not use this file except in compliance with the License. | |
7 | +# You may obtain a copy of the License at | |
8 | +# | |
9 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
10 | +# | |
11 | +# Unless required by applicable law or agreed to in writing, software | |
12 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
13 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
14 | +# See the License for the specific language governing permissions and | |
15 | +# limitations under the License. | |
16 | +# | |
17 | + | |
18 | +name "gitlab-selinux" | |
19 | + | |
20 | +dependency "rsync" | |
21 | + | |
22 | +always_build true | |
23 | + | |
24 | +source :path => File.expand_path("files/gitlab-selinux", Config.project_root) | |
25 | + | |
26 | +build do | |
27 | + command "mkdir -p #{install_dir}/embedded/selinux" | |
28 | + command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/" | |
29 | +end | ... | ... |
files/gitlab-cookbooks/gitlab/recipes/default.rb
... | ... | @@ -48,6 +48,7 @@ end |
48 | 48 | include_recipe "gitlab::users" |
49 | 49 | include_recipe "gitlab::gitlab-shell" |
50 | 50 | include_recipe "gitlab::gitlab-rails" |
51 | +include_recipe "gitlab::selinux" | |
51 | 52 | |
52 | 53 | # Create dummy unicorn and sidekiq services to receive notifications, in case |
53 | 54 | # the corresponding service recipe is not loaded below. | ... | ... |
... | ... | @@ -0,0 +1,23 @@ |
1 | +# | |
2 | +# Copyright:: Copyright (c) 2014 GitLab B.V. | |
3 | +# License:: Apache License, Version 2.0 | |
4 | +# | |
5 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
6 | +# you may not use this file except in compliance with the License. | |
7 | +# You may obtain a copy of the License at | |
8 | +# | |
9 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
10 | +# | |
11 | +# Unless required by applicable law or agreed to in writing, software | |
12 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
13 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
14 | +# See the License for the specific language governing permissions and | |
15 | +# limitations under the License. | |
16 | +# | |
17 | + | |
18 | +if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./ | |
19 | + ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen' | |
20 | + execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do | |
21 | + not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'" | |
22 | + end | |
23 | +end | ... | ... |
... | ... | @@ -0,0 +1,10 @@ |
1 | +# SELinux modules for GitLab | |
2 | + | |
3 | +## RHEL / Centos 7 | |
4 | + | |
5 | +rhel/7/gitlab-7.2.0-ssh-keygen.pp | |
6 | + | |
7 | +GitLab handles SSH public keys and we want to verify whether users input valid | |
8 | +SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input | |
9 | +from standard input, we need to create a temporary file. This SELinux module | |
10 | +gives ssh-keygen permission to read the temporary file we create for it. | ... | ... |
No preview for this file type