Verify what additional steps are needed to make GitLab work with fapolicyd
Proposal
Some of our users & customers using self-managed GitLab instances might be interested in using fapolicyd for increased security of their GitLab instances. We need to explore whether fapolicyd is fully compatible with GitLab and document any additional configuration needed to make it work.
I've created this issue as a feature proposal because we do not mention fapolicyd
, but it may be also treated as a bug if we treat fapolicyd
as supported.
Known issues
- install Alma Linux 8 machine (used EC2)
- enable
fips
by runningfips-mode-setup --enable
- install and enable
fapolicyd
using the guide 15.2. Deploying fapolicyd - install gitlab-fips Omnibus package
The installation is successful, but creation of files in a new project fails with the error:
13:commit: commit: starting process [/var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go -log-format json -log-level -correlation-id
01GP1383JV6JD6MQJBH2E1RT03 -enabled-feature-flags -disabled-feature-flags commit]: fork/exec /var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go: operation not permitted.
If you try to restore a backup of GitLab, it completes successfully, but repos are shown as empty in the UI. A number of similar errors is thrown to the gitaly/current log during the restoration:
"error": "exit status 128, stderr: \"fatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction':
Operation not permitted\\nfatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction': Operation
not permitted\\nfatal: ref updates aborted by hook\\n\"",
"grpc.code": "Internal",
"grpc.meta.deadline_type": "none",
"grpc.meta.method_type": "client_stream",
"grpc.method": "FetchBundle",
"grpc.request.fullMethod": "/gitaly.RepositoryService/FetchBundle",
...
Troubleshooting the gitaly error
One can use debug mode to find why fapolicyd denies something:
grep deny_audit fapolicy.output
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
deny_audit perm=open all : ftype=application/x-sharedlib
deny_audit perm=any all : ftype=%languages
deny_audit perm=execute all : all
rule=15 dec=deny_audit perm=execute auid=-1 pid=11443 exe=/opt/gitlab/embedded/bin/gitaly : path=/var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go ftype=application/x-executable trust=0
To fix both errors mentioned above, I've added the rule to allow all executables in /var/opt/gitlab/gitaly/
and restarted fapolicyd
:
cat /etc/fapolicyd/rules.d/80-myapps.rules
allow perm=any all : ftype=application/x-executable dir=/var/opt/gitlab/gitaly/
References
This issue was created on the basis of customer ticket where we faced problem after restoring the backup: ZD internal ticket
Other tickets where users faced potentially related issues:
- Failures when importing repositories - ZD internal ticket 1, ZD internal ticket 2
- A number of gitaly-related issues - ZD internal ticket 3