Verify what additional steps are needed to make GitLab work with fapolicyd

Proposal

Some of our users & customers using self-managed GitLab instances might be interested in using fapolicyd for increased security of their GitLab instances. We need to explore whether fapolicyd is fully compatible with GitLab and document any additional configuration needed to make it work.

I've created this issue as a feature proposal because we do not mention fapolicyd, but it may be also treated as a bug if we treat fapolicyd as supported.

Known issues

install Alma Linux 8 machine (used EC2)
enable fips by running fips-mode-setup --enable
install and enable fapolicyd using the guide 15.2. Deploying fapolicyd
install gitlab-fips Omnibus package

The installation is successful, but creation of files in a new project fails with the error:

13:commit: commit: starting process [/var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go -log-format json -log-level -correlation-id 
01GP1383JV6JD6MQJBH2E1RT03 -enabled-feature-flags -disabled-feature-flags commit]: fork/exec /var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go: operation not permitted.

If you try to restore a backup of GitLab, it completes successfully, but repos are shown as empty in the UI. A number of similar errors is thrown to the gitaly/current log during the restoration:

  "error": "exit status 128, stderr: \"fatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction': 
Operation not permitted\\nfatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction': Operation 
not permitted\\nfatal: ref updates aborted by hook\\n\"",
  "grpc.code": "Internal",
  "grpc.meta.deadline_type": "none",
  "grpc.meta.method_type": "client_stream",
  "grpc.method": "FetchBundle",
  "grpc.request.fullMethod": "/gitaly.RepositoryService/FetchBundle",
...

Troubleshooting the gitaly error

One can use debug mode to find why fapolicyd denies something:

grep deny_audit fapolicy.output
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
deny_audit perm=open all : ftype=application/x-sharedlib
deny_audit perm=any all : ftype=%languages
deny_audit perm=execute all : all
rule=15 dec=deny_audit perm=execute auid=-1 pid=11443 exe=/opt/gitlab/embedded/bin/gitaly : path=/var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go ftype=application/x-executable trust=0

To fix both errors mentioned above, I've added the rule to allow all executables in /var/opt/gitlab/gitaly/ and restarted fapolicyd:

cat /etc/fapolicyd/rules.d/80-myapps.rules
allow perm=any all : ftype=application/x-executable dir=/var/opt/gitlab/gitaly/

References

This issue was created on the basis of customer ticket where we faced problem after restoring the backup: ZD internal ticket

Other tickets where users faced potentially related issues:

Failures when importing repositories - ZD internal ticket 1, ZD internal ticket 2
A number of gitaly-related issues - ZD internal ticket 3

Edited Jan 06, 2023 by Alexandr Tanayno