Add selinux module for gitlab-shell

What does this MR do?

In GitLab version 13.4, gitlab-shell was changed to go through Workhorse. Reference: !4498 (merged). This change results in database ssh key lookups on RHEL based distributions with selinux enforcing. This MR adds a module to apply contexts for selinux to allow SSH to go through the Workhorse unix socket.

Currently, users with GitLab version 13.4 using fast ssh lookup can get a permission denied when using git ssh commands. This is due to missing rules for selinux to allow database ssh lookups through the Workhorse socket.

The Type Enforcement file was generated by running the command ausearch -c 'gitlab-shell-au' --raw | audit2allow -M gitlab-13.5.0-gitlab-shell.

Related issues

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

• Merge Request Title, and Description are up to date, accurate, and descriptive
• MR targeting the appropriate branch
• MR has a green pipeline on GitLab.com
• Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
• trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

• Test plan indicating conditions for success has been posted and passes
• Documentation created/updated
• Tests added
• Integration tests added to GitLab QA
• Equivalent MR/issue for the GitLab Chart opened

files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb

@@ -8,24 +8,26 @@ class SELinuxHelper
       gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
       gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
       gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
+      gitlab_workhorse_sock = node['gitlab']['gitlab-workhorse']['listen_addr']
 
       # If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
       # git_user is valid.
       selinux_code = []
 
       if File.exist?(ssh_dir)
-        selinux_code << "semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'"
+        selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{ssh_dir}(/.*)?'"
         selinux_code << "restorecon -R -v '#{ssh_dir}'"
       end
 
       [
         authorized_keys,
         gitlab_shell_config_file,
-        gitlab_shell_secret_file
+        gitlab_shell_secret_file,
+        gitlab_workhorse_sock
       ].each do |file|
         next unless File.exist?(file)
 
-        selinux_code << "semanage fcontext -a -t ssh_home_t '#{file}'"
+        selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{file}'"
         selinux_code << "restorecon -v '#{file}'"
       end