Skip to content
Snippets Groups Projects

Add selinux module for gitlab-shell

Merged John Long requested to merge john_long-add-selinux-module-for-gitlab-shell into master

What does this MR do?

In GitLab version 13.4, gitlab-shell was changed to go through Workhorse. Reference: !4498 (merged). This change results in database ssh key lookups on RHEL based distributions with selinux enforcing. This MR adds a module to apply contexts for selinux to allow SSH to go through the Workhorse unix socket.

Currently, users with GitLab version 13.4 using fast ssh lookup can get a permission denied when using git ssh commands. This is due to missing rules for selinux to allow database ssh lookups through the Workhorse socket.

The Type Enforcement file was generated by running the command ausearch -c 'gitlab-shell-au' --raw | audit2allow -M gitlab-13.5.0-gitlab-shell.

Related issues

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by John Long

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • John Long marked as a Work In Progress

    marked as a Work In Progress

    • Resolved by DJ Mountney

      Nice find @john_long! I'm not sure if we have an issue for this one already. The bug is not looking great, selinux enforced + fast SSH lookup enabled (which is required for all Geo setups, for example) will break in 13.4.0 and it looks like the cause of at least 3 customer tickets so far, we may want to ~"Pick into 13.4":

      "error":"Get \"http://unix/api/v4/internal/authorized_keys?key=...\": dial unix /var/opt/gitlab/gitlab-workhorse/socket: connect: permission denied"

      /cc @pursultani @ljlane FYI

  • John Long added 1 commit

    added 1 commit

    • 7a883a37 - Recreated compiled file based on readme

    Compare with previous version

  • John Long added 1 commit

    added 1 commit

    • 4f88207d - Replace gitlab-13.5.0-gitlab-shell.pp

    Compare with previous version

  • John Long unmarked as a Work In Progress

    unmarked as a Work In Progress

  • John Long changed the description

    changed the description

  • Author Contributor

    I replicated the issue by creating a CenOS 7 instance, then installed GitLab 13.3.6. Once installed, I setup and verified fast ssh lookup was functional. Once that was done, I upgraded to GitLab 13.4.0 and retested. This time, git ssh commands were failing.

    I installed the setroubleshoot package and used sealert to analyze the audit logs, were I found the recommended command to allow gitlab-shell calls through the Workhorse socket. I used the command ausearch -c 'gitlab-shell-au' --raw | audit2allow -M gitlab-13.5.0-gitlab-shell to generte the type enforcement file, then followed the steps in https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-selinux/README.md to generate the policy package file.

    I then created a new CentOS 7 instance, installed GitLab 13.4.1 and made the changes this MR does to the appropriate files and reconfigured. This successfully set the context based on the policy package.

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading