SELinux not configured correctly for gitlab-shell on RHEL 8 clone with latest gitlab-ee
Summary
On self-hosted gitlab-ee @ Rocky Linux 8, when SELinux is in Enforcing mode, then I am not able to do git clone, because SELinux is not configured correctly for gitlab-shell.
Btw I have initially posted about this on gitlab forum (https://forum.gitlab.com/t/selinux-not-configured-correctly-for-gitlab-shell-on-rhel-8-clone-with-latest-gitlab-ee/65247), but I think it is not best place for reporting bugs, so I am now posting this bug report here.
Steps to reproduce
I have encountered it when trying migration from another server, I have had not tested it on clean instalation.
- Install Rocky Linux 8
- Install gitlab-ee from gitlab's repository, same version as have been on old server
- Restore backup from previous server
- Upgrade to latest version
- In client try to git clone some repository
Btw the problem is same with that old versin of gitlab (13.6.7) as with latest (14.7.2).
What is the current bug behavior?
In client I see error (and repository is not cloned from server to client):
remote: Internal API unreachable
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
git did not exit cleanly (exit code 128)
What is the expected correct behavior?
Repository is cloned from server to client without any errors.
Relevant logs and/or screenshots
Output of checks
It works when I switch SELinux to permissive mode, so it is obviously SELinux issue.
audit2allow -a -l -w
type=AVC msg=audit(1644425667.730:600): avc: denied { open } for pid=69734 comm="gitlab-shell" path="/var/log/gitlab/gitlab-shell/gitlab-shell.log" dev="dm-0" ino=193346642 scontext=user_u:user_r:user_t:s0 tcontext=staff_u:object_r:var_log_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1644425667.732:601): avc: denied { write } for pid=69734 comm="gitlab-shell" name="socket" dev="dm-0" ino=8852552 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
audit2allow -a -l -m gitlab-custom
module gitlab-custom 1.0;
require {
type var_log_t;
type var_t;
type user_t;
class file open;
class sock_file write;
}
#============= user_t ==============
allow user_t var_log_t:file open;
allow user_t var_t:sock_file write;
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) ``` [root@gitdevtst ~]# sudo gitlab-rake gitlab:env:info System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.6 Redis Version: 6.0.16 Git Version: 2.33.1. Sidekiq Version:6.3.1 Go Version: unknown GitLab information Version: 14.7.2-ee Revision: 39a169b2f25 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.7 URL: https://gitdevtst.dcit.cz HTTP Clone URL: https://gitdevtst.dcit.cz/some-group/some-project.git SSH Clone URL: git@gitdevtst.dcit.cz:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.22.2 Repository storage paths: - default: /opt/git/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git ```
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(we will only investigate if the tests are passing)
[root@gitdevtst ~]# sudo gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.22.2 ? ... OK (13.22.2) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server 'dc.dcit.cz:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit. Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/3 ... yes 2/20 ... yes 30/62 ... yes 30/63 ... yes 30/64 ... yes 30/66 ... yes 30/67 ... yes 30/68 ... yes 31/70 ... yes 31/71 ... yes 31/72 ... yes 31/73 ... yes 31/74 ... yes 31/75 ... yes 31/77 ... yes 30/78 ... yes 35/103 ... yes 35/104 ... yes 35/105 ... yes 35/106 ... yes 35/107 ... yes 35/108 ... yes 35/110 ... yes 36/119 ... yes 36/120 ... yes 36/121 ... yes 36/122 ... yes 36/123 ... yes 36/124 ... yes 36/126 ... yes 38/127 ... yes 38/128 ... yes 38/129 ... yes 38/130 ... yes 38/131 ... yes 38/132 ... yes 38/134 ... yes 39/135 ... yes 39/136 ... yes 39/137 ... yes 39/138 ... yes 39/139 ... yes 39/140 ... yes 39/142 ... yes 40/143 ... yes 40/144 ... yes 40/145 ... yes 40/146 ... yes 40/147 ... yes 40/148 ... yes 40/150 ... yes 41/151 ... yes 41/152 ... yes 41/153 ... yes 41/154 ... yes 41/155 ... yes 41/156 ... yes 41/158 ... yes 44/176 ... yes 44/177 ... yes 44/178 ... yes 44/179 ... yes 44/180 ... yes 44/181 ... yes 44/183 ... yes 45/184 ... yes 45/185 ... yes 45/186 ... yes 45/187 ... yes 45/188 ... yes 45/189 ... yes 45/191 ... yes 46/192 ... yes 46/193 ... yes 46/194 ... yes 46/195 ... yes 46/196 ... yes 46/197 ... yes 46/199 ... yes 47/200 ... yes 47/201 ... yes 47/202 ... yes 47/203 ... yes 47/204 ... yes 47/205 ... yes 47/207 ... yes 48/208 ... yes 48/209 ... yes 48/210 ... yes 48/211 ... yes 48/212 ... yes 48/213 ... yes 48/215 ... yes 58/257 ... yes 58/258 ... yes 58/259 ... yes 58/260 ... yes 58/261 ... yes 58/262 ... yes 58/264 ... yes 59/265 ... yes 59/266 ... yes 59/267 ... yes 59/268 ... yes 59/269 ... yes 59/270 ... yes 59/272 ... yes 62/281 ... yes 62/282 ... yes 62/283 ... yes 62/284 ... yes 62/285 ... yes 62/286 ... yes 62/288 ... yes 63/289 ... yes 63/290 ... yes 63/291 ... yes 63/292 ... yes 63/293 ... yes 63/294 ... yes 63/296 ... yes 65/305 ... yes 65/306 ... yes 65/307 ... yes 65/308 ... yes 65/309 ... yes 65/310 ... yes 65/312 ... yes 66/313 ... yes 66/314 ... yes 66/315 ... yes 66/316 ... yes 66/317 ... yes 66/318 ... yes 66/320 ... yes 67/321 ... yes 67/322 ... yes 67/323 ... yes 67/324 ... yes 67/325 ... yes 67/326 ... yes 67/328 ... yes 70/345 ... yes 70/346 ... yes 70/347 ... yes 70/348 ... yes 70/349 ... yes 70/350 ... yes 70/352 ... yes 71/353 ... yes 71/354 ... yes 71/355 ... yes 71/356 ... yes 71/357 ... yes 71/358 ... yes 71/360 ... yes 72/361 ... yes 72/362 ... yes 72/363 ... yes 72/364 ... yes 72/365 ... yes 72/366 ... yes 72/368 ... yes 74/377 ... yes 74/378 ... yes 74/379 ... yes 74/380 ... yes 74/381 ... yes 74/382 ... yes 74/384 ... yes 75/385 ... yes 75/386 ... yes 75/387 ... yes 75/388 ... yes 75/389 ... yes 75/390 ... yes 75/392 ... yes 77/401 ... yes 77/402 ... yes 77/403 ... yes 77/404 ... yes 77/405 ... yes 77/406 ... yes 77/408 ... yes 78/409 ... yes 78/410 ... yes 78/411 ... yes 78/412 ... yes 78/413 ... yes 78/414 ... yes 78/416 ... yes 79/417 ... yes 79/418 ... yes 79/419 ... yes 79/420 ... yes 79/421 ... yes 79/422 ... yes 79/424 ... yes 80/425 ... yes 80/426 ... yes 80/427 ... yes 80/428 ... yes 80/429 ... yes 80/430 ... yes 80/432 ... yes 81/433 ... yes 81/434 ... yes 81/435 ... yes 81/436 ... yes 81/437 ... yes 81/438 ... yes 81/440 ... yes 83/449 ... yes 83/450 ... yes 83/451 ... yes 83/452 ... yes 83/453 ... yes 83/454 ... yes 83/456 ... yes 85/465 ... yes 85/466 ... yes 85/467 ... yes 85/468 ... yes 85/469 ... yes 85/470 ... yes 85/472 ... yes 86/473 ... yes 86/474 ... yes 86/475 ... yes 86/476 ... yes 86/477 ... yes 86/478 ... yes 86/480 ... yes 87/481 ... yes 87/482 ... yes 87/483 ... yes 87/484 ... yes 87/485 ... yes 87/486 ... yes 87/488 ... yes 89/497 ... yes 89/498 ... yes 89/499 ... yes 89/500 ... yes 89/501 ... yes 89/502 ... yes 89/504 ... yes 90/505 ... yes 90/506 ... yes 90/507 ... yes 90/508 ... yes 90/509 ... yes 90/510 ... yes 90/512 ... yes 91/513 ... yes 91/514 ... yes 91/515 ... yes 91/516 ... yes 91/517 ... yes 91/518 ... yes 91/520 ... yes 92/521 ... yes 92/522 ... yes 92/523 ... yes 92/524 ... yes 92/525 ... yes 92/526 ... yes 92/528 ... yes 93/529 ... yes 93/530 ... yes 93/531 ... yes 93/532 ... yes 93/533 ... yes 93/534 ... yes 93/536 ... yes 95/545 ... yes 95/546 ... yes 95/547 ... yes 95/548 ... yes 95/549 ... yes 95/550 ... yes 95/552 ... yes 96/553 ... yes 96/554 ... yes 96/555 ... yes 96/556 ... yes 96/557 ... yes 96/558 ... yes 96/560 ... yes 97/561 ... yes 97/562 ... yes 97/563 ... yes 97/564 ... yes 97/565 ... yes 97/566 ... yes 97/568 ... yes 98/569 ... yes 98/570 ... yes 98/571 ... yes 98/572 ... yes 98/573 ... yes 98/574 ... yes 98/576 ... yes 99/577 ... yes 99/578 ... yes 99/579 ... yes 99/580 ... yes 99/581 ... yes 99/582 ... yes 99/584 ... yes 101/593 ... yes 101/594 ... yes 101/595 ... yes 101/596 ... yes 101/597 ... yes 101/598 ... yes 101/600 ... yes 102/601 ... yes 102/602 ... yes 102/603 ... yes 102/604 ... yes 102/605 ... yes 102/606 ... yes 102/608 ... yes 103/609 ... yes 103/610 ... yes 103/611 ... yes 103/612 ... yes 103/613 ... yes 103/614 ... yes 103/616 ... yes 106/633 ... yes 106/634 ... yes 106/635 ... yes 106/636 ... yes 106/637 ... yes 106/638 ... yes 106/640 ... yes 107/641 ... yes 107/642 ... yes 107/643 ... yes 107/644 ... yes 107/645 ... yes 107/646 ... yes 107/648 ... yes 108/649 ... yes 108/650 ... yes 108/651 ... yes 108/652 ... yes 108/653 ... yes 108/654 ... yes 108/656 ... yes 109/657 ... yes 109/658 ... yes 109/659 ... yes 109/660 ... yes 109/661 ... yes 109/662 ... yes 109/664 ... yes 111/673 ... yes 111/674 ... yes 111/675 ... yes 111/676 ... yes 111/677 ... yes 111/678 ... yes 111/680 ... yes 112/681 ... yes 112/682 ... yes 112/683 ... yes 112/684 ... yes 112/685 ... yes 112/686 ... yes 112/688 ... yes 113/689 ... yes 113/690 ... yes 113/691 ... yes 113/692 ... yes 113/693 ... yes 113/694 ... yes 113/696 ... yes 114/697 ... yes 114/698 ... yes 114/699 ... yes 114/700 ... yes 114/701 ... yes 114/702 ... yes 114/704 ... yes 115/705 ... yes 115/706 ... yes 115/707 ... yes 115/708 ... yes 115/709 ... yes 115/710 ... yes 115/712 ... yes 116/713 ... yes 116/714 ... yes 116/715 ... yes 116/716 ... yes 116/717 ... yes 116/718 ... yes 116/720 ... yes 2/759 ... yes 251/761 ... yes 2/788 ... yes 251/795 ... yes 251/798 ... yes 251/799 ... yes 183/800 ... yes 183/801 ... yes 183/802 ... yes 183/803 ... yes 183/804 ... yes 183/805 ... yes 183/807 ... yes 251/808 ... yes 251/809 ... yes 251/810 ... yes 251/811 ... yes 251/812 ... yes 251/813 ... yes 252/814 ... yes 191/815 ... yes 191/816 ... yes 191/817 ... yes 191/818 ... yes 191/819 ... yes 191/820 ... yes 191/822 ... yes 2/867 ... yes 251/868 ... yes 251/869 ... yes 148/870 ... yes 253/871 ... yes 253/872 ... yes 253/873 ... yes 253/874 ... yes 251/875 ... yes 251/876 ... yes 251/877 ... yes 251/878 ... yes 253/879 ... yes 278/880 ... yes 278/881 ... yes 278/882 ... yes 278/883 ... yes 278/884 ... yes 278/885 ... yes 280/886 ... yes 280/887 ... yes 280/888 ... yes 280/889 ... yes 280/890 ... yes 280/891 ... yes 251/892 ... yes 30/893 ... yes 281/894 ... yes 281/895 ... yes 281/896 ... yes 281/897 ... yes 281/898 ... yes 281/899 ... yes 281/900 ... yes 251/901 ... yes 41/903 ... yes 294/904 ... yes 294/905 ... yes 294/906 ... yes 294/907 ... yes 294/908 ... yes 296/914 ... yes 296/915 ... yes 296/916 ... yes 296/917 ... yes 296/918 ... yes 296/919 ... yes 19/920 ... yes 59/922 ... yes 91/923 ... yes 171/924 ... yes 305/927 ... yes 305/928 ... yes 305/929 ... yes 305/930 ... yes 305/931 ... yes 306/932 ... yes 306/933 ... yes 306/934 ... yes 306/935 ... yes 306/936 ... yes 3/937 ... yes 251/938 ... yes 30/939 ... yes 171/940 ... yes 251/941 ... yes 331/971 ... yes 331/972 ... yes 331/973 ... yes 331/974 ... yes 331/975 ... yes 15/976 ... yes 15/977 ... yes 65/978 ... yes 15/979 ... yes 15/981 ... yes 15/983 ... yes 15/984 ... yes 278/985 ... yes 336/986 ... yes 337/987 ... yes 338/988 ... yes 337/989 ... yes 339/990 ... yes 339/991 ... yes 340/992 ... yes 339/993 ... yes 342/994 ... yes 342/995 ... yes 336/996 ... yes 343/997 ... yes 344/998 ... yes 344/999 ... yes 343/1000 ... yes 346/1001 ... yes 346/1002 ... yes 352/1004 ... yes 360/1005 ... yes 358/1006 ... yes 354/1007 ... yes 347/1009 ... yes 354/1010 ... yes 355/1011 ... yes 355/1012 ... yes 355/1013 ... yes 331/1014 ... yes 30/1015 ... yes 30/1016 ... yes 30/1017 ... yes 362/1018 ... yes 81/1019 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git version >= 2.33.0 ? ... yes (2.33.1) Git user has default SSH configuration? ... yes Active users: ... 105 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished
Possible fixes
I was able to solve it by creating SELinux policy, at first not good enough because of allowing things directly for user_r, then making it better with help of my SELinux knowledgable coworker.
For now final version of my somehow better (than just allowing something for user_t) SELinux policy is:
gitlab-custom.te
policy_module(gitlab-custom,1.0.2)
# macros are defined under /usr/share/selinux/devel/include/
gen_require(`
type var_t;
type sysfs_t;
')
type gitlab_shell_t;
type gitlab_shell_exec_t;
application_domain(gitlab_shell_t, gitlab_shell_exec_t)
type gitlab_shell_log_t;
logging_log_file(gitlab_shell_log_t)
append_files_pattern(gitlab_shell_t, gitlab_shell_log_t, gitlab_shell_log_t)
dev_read_sysfs(gitlab_shell_t)
allow gitlab_shell_t var_t:file { getattr open read };
allow gitlab_shell_t var_t:sock_file write;
optional_policy(`
gitlab_shell_role(user_r, user_t)
')
gitlab-custom.fc
/var/log/gitlab/gitlab-shell(/.*)? gen_context(system_u:object_r:gitlab_shell_log_t,s0)
/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell -- gen_context(system_u:object_r:gitlab_shell_exec_t,s0)
gitlab-custom.if
interface(`gitlab_shell_role',`
gen_require(`
role $1;
type $2;
type gitlab_shell_t, gitlab_shell_exec_t;
')
role $1 types gitlab_shell_t;
domtrans_pattern($2, gitlab_shell_exec_t, gitlab_shell_t)
ps_process_pattern($2, gitlab_shell_t)
')
then execute:
make -f /usr/share/selinux/devel/Makefile
semodule -i gitlab-custom.pp
make -f /usr/share/selinux/devel/Makefile clean
restorecon -v -F /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
restorecon -R -v -F /var/log/gitlab/gitlab-shell