Add selinux module for gitlab-shell
What does this MR do?
In GitLab version 13.4, gitlab-shell was changed to go through Workhorse. Reference: !4498 (merged). This change results in database ssh key lookups on RHEL based distributions with selinux enforcing. This MR adds a module to apply contexts for selinux to allow SSH to go through the Workhorse unix socket.
Currently, users with GitLab version 13.4 using fast ssh lookup can get a permission denied when using git ssh commands. This is due to missing rules for selinux to allow database ssh lookups through the Workhorse socket.
The Type Enforcement file was generated by running the command ausearch -c 'gitlab-shell-au' --raw | audit2allow -M gitlab-13.5.0-gitlab-shell
.
Related issues
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-package
has a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Merge request reports
Activity
added Support Team Contributions label
changed milestone to %13.5
1 Message Please add the workflowready for review label once you think the MR is ready to for an initial review. Merge requests are handled according to the workflow documented in our handbook and should receive a response within the limit documented in our First-response SLO.
If you don't receive a response, please mention
@gitlab-org/distribution
, or one of our Project MaintainersGenerated by
DangerEdited by 🤖 GitLab Bot 🤖- Resolved by Robert Marshall
@wchandler mind taking a look?
- Resolved by Robert Marshall
- Resolved by DJ Mountney
Nice find @john_long! I'm not sure if we have an issue for this one already. The bug is not looking great, selinux enforced + fast SSH lookup enabled (which is required for all Geo setups, for example) will break in 13.4.0 and it looks like the cause of at least 3 customer tickets so far, we may want to ~"Pick into 13.4":
"error":"Get \"http://unix/api/v4/internal/authorized_keys?key=...\": dial unix /var/opt/gitlab/gitlab-workhorse/socket: connect: permission denied"
/cc @pursultani @ljlane FYI
added customer groupdistribution severity2 typebug labels
- Resolved by Robert Marshall
I initially created the policy package file incorrectly. I ran back through the steps based on https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-selinux/README.md and am testing once more to verify this policy package file works on a fresh instance, in which it was not created on.
I replicated the issue by creating a CenOS 7 instance, then installed GitLab 13.3.6. Once installed, I setup and verified fast ssh lookup was functional. Once that was done, I upgraded to GitLab 13.4.0 and retested. This time, git ssh commands were failing.
I installed the
setroubleshoot
package and usedsealert
to analyze the audit logs, were I found the recommended command to allow gitlab-shell calls through the Workhorse socket. I used the commandausearch -c 'gitlab-shell-au' --raw | audit2allow -M gitlab-13.5.0-gitlab-shell
to generte the type enforcement file, then followed the steps in https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-selinux/README.md to generate the policy package file.I then created a new CentOS 7 instance, installed GitLab 13.4.1 and made the changes this MR does to the appropriate files and reconfigured. This successfully set the context based on the policy package.