GitLab Does Not Install on RHEL without Several SELinux Permissions and Types Exceptions
Summary
Under DoD requirements to configure the system to be compliant with the DISA Red Hat Enterprise Linux 7 Security Technical Implementation Guide, GitLab does not install properly without making changes to SELinux file contexts within the GitLab installation directory.
Steps to reproduce
OS used: Red Hat Enterprise Linux 7.9
Relevant DISA STIG Requirements:
RHEL-07-020020 Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Set the default SELinux user context to user_u:
semanage login -m -S targeted -s "user_u" -r s0 __default__
Set administrators to staff_u
semanage login -a -s staff_u insert_admin_username_here
Restore SELinux permissions of home directory of admin if needded
restorecon -RvF /home/insert_admin_username_here
RHEL-07-020023 Configure the operating system to elevate the SELinux context when an administrator calls the sudo command.
Edit /etc/sudoers.d/
to reflect the change:
%insert_admin_group_here ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Logged out and logged back in with admin account. Become root to verify SELinux permissions via:
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Run standard GitLab installation:
# EXTERNAL_URL="https://insert_hostname_here" rpm -ivh gitlab-ee-15.3.3-ee.0.el7.x86_64.rpm
warning: gitlab-ee-15.3.3-ee.0.el7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID f27eab47: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:gitlab-ee-15.3.3-ee.0.el7 ################################# [100%]
It looks like there was a problem with public attributes; run gitlab-ctl reconfigure manually to fix.
warning: %posttrans(gitlab-ee-15.3.3-ee.0.el7.x86_64) scriptlet failed, exit status 1
Running gitlab-ctl reconfigure
and checking the outputs of /opt/gitlab/embedded/cookbooks/cache/chef-stacktrace.out show the following:
Generated at 2022-09-13 14:55:09 -0400
Errno::EACCES: templatesymlink[Create a config.yml and create a symlink to Rails root] (gitlab::gitlab-shell line 54) had an error: Errno::EACCES: template[/var/opt/gitlab/gitlab-shell/config.yml] (gitlab::gitlab-shell line 36) had an error: Errno::EACCES: Permission denied @ rb_sysopen - /var/opt/gitlab/gitlab-shell/config.yml
The relevant audit log entry shows the following:
type=AVC msg=audit(1663089696.042:991086): avc: denied { read } for pid=29458 comm="cinc-client" name="config.yml" dev="dm-5" ino=8609101 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gitlab_shell_t:s0 tclass=file permissive=0
type=AVC msg=audit(1663089978.344:995805): avc: denied { open } for pid=30668 comm="cinc-client" path="/var/opt/gitlab/gitlab-shell/config.yml" dev="dm-5" ino=8609101 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gitlab_shell_t:s0 tclass=file permissive=0
type=AVC msg=audit(1663090585.437:1011015): avc: denied { ioctl } for pid=32799 comm="cinc-client" path="/var/opt/gitlab/gitlab-shell/config.yml" dev="dm-5" ino=8609101 ioctlcmd=5401 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gitlab_shell_t:s0 tclass=file permissive=0
type=AVC msg=audit(1663090588.781:1011038): avc: denied { ioctl } for pid=32799 comm="cinc-client" path="/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret" dev="dm-5" ino=4431477 ioctlcmd=5401 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gitlab_shell_t:s0 tclass=file permissive=0
Created an SELinux Policy to allow sysadm_t open/read/ioctl access on gitlab_shell_t
module allow_sysadm_t_gitlab_shell_t 1.0;
require {
type sysadm_t;
type gitlab_shell_t;
class file { open read ioctl };
}
#============= sysadm_t ==============
allow sysadm_t gitlab_shell_t:file open;
allow sysadm_t gitlab_shell_t:file read;
allow sysadm_t gitlab_shell_t:file ioctl;
Ran the following to create and install the SELinux policy (requires policycoreutils-devel):
make -f /usr/share/selinux/devel/Makefile allow_sysadm_t_gitlab_shell_t.pp
Installed the newly created policy file
semodule -i allow_sysadm_t_gitlab_shell_t.pp
Running gitlab-ctl reconfigure
and checking the outputs of /opt/gitlab/embedded/cookbooks/cache/chef-stacktrace.out show the following:
Generated at 2022-09-13 15:33:22 -0400
RuntimeError: redis_service[redis] (redis::enable line 19) had an error: RuntimeError: ruby_block[warn pending redis restart] (redis::enable line 68) had an error: RuntimeError: Execution of the command `/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket INFO` failed with a non-zero exit code (1)
stdout:
stderr: Could not connect to Redis at /var/opt/gitlab/redis/redis.socket: Permission denied
The relevant audit log entry shows the following:
type=AVC msg=audit(1663092123.099:1025530): avc: denied { write } for pid=39415 comm="redis-cli" name="redis.socket" dev="dm-5" ino=1005 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
The affected file, /var/opt/gitlab/redis/redis.socket shows the following SELinux context:
srwxrwxrwx. gitlab-redis gitlab-redis system_u:object_r:var_t:s0 /var/opt/gitlab/redis/redis.socket
Additionally, the audit log reports that sysadm_t cannot write to the following named pipes:
/opt/gitlab/sv/crond/log/supervise/ok
/opt/gitlab/sv/crond/supervise/ok
/opt/gitlab/sv/gitaly/log/supervise/ok
/opt/gitlab/sv/gitaly/supervise/ok
/opt/gitlab/sv/gitlab-kas/log/supervise/ok
/opt/gitlab/sv/gitlab-kas/supervise/ok
/opt/gitlab/sv/gitlab-workhorse/log/supervise/ok
/opt/gitlab/sv/gitlab-workhorse/supervise/ok
/opt/gitlab/sv/logrotate/log/supervise/ok
/opt/gitlab/sv/logrotate/supervise/ok
/opt/gitlab/sv/nginx/log/supervise/ok
/opt/gitlab/sv/nginx/supervise/ok
/opt/gitlab/sv/postgresql/log/supervise/ok
/opt/gitlab/sv/postgresql/supervise/ok
/opt/gitlab/sv/puma/log/supervise/ok
/opt/gitlab/sv/puma/supervise/ok
/opt/gitlab/sv/redis/log/supervise/ok
/opt/gitlab/sv/redis/supervise/ok
/opt/gitlab/sv/registry/log/supervise/ok
/opt/gitlab/sv/registry/supervise/ok
/opt/gitlab/sv/sidekiq/log/supervise/ok
/opt/gitlab/sv/sidekiq/supervise/ok
The default SELinux context for this is:
prw-------. root root system_u:object_r:usr_t:s0 /opt/gitlab/sv/crond/log/supervise/ok
From a security standpoint, I cannot recommend allowing sysadm_t to allow write access to the entirety of the base usr_t and var_t type. Further information about this can be found former SELinux developer Dan Walsh: https://danwalsh.livejournal.com/69958.html
What is the current bug behavior?
GitLab fails to reconfigure due to SELinux not being able to access various GitLab related files.
What is the expected correct behavior?
- GitLab should implement SELinux policies to allow sysadm open/read/ioctl for the gitlab_shell_t type
- GitLab should have created a SELinux type for all named pipe files (see above) within
/opt/gitlab/sv
instead of having them be the base usr_t type - GitLab should have created a SELinux type for all GitLab related socket files such as
/var/opt/gitlab/redis/redis.socket
(see above) instead of having it be the base var_t type
Results of GitLab environment info
OS used: Red Hat Enterprise Linux 7.9
GitLab version used: gitlab-ee-15.3.3-ee.0.el7.x86_64