Skip to content

Generate SELinux policy module with package

Robert Marshall requested to merge 8231-compile-selinux-modules-in-pipelines into master

What does this MR do?

Generate SELinux policy module with package

- Compile the SELinux policy module files from the base type enforcement
  files during the package build
- The SELinux policy applies to more than RHEL 7, so move the type
  enforcement files out of the specific path for clarity

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8231

Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

Related issues

Closes Compile SELinux policy in pipelines (#8231 - closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.

Testing Plan

  1. Install a package on an SELinux supported distribution
  2. Ensure the follow files are present after package installation
/opt/gitlab/embedded/selinux/gitlab-10.5.0-ssh-authorized-keys.pp                                                                                                                                                              
/opt/gitlab/embedded/selinux/gitlab-13.5.0-gitlab-shell.pp                                                                                                                                                                     
/opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp
  1. Ensure there are no .te, .fc, Makefile, or other in /opt/gitlab/embedded/selinux/ directory
  2. After the application is installed, ensure the SELinux policies are installed 
    semodule -l|grep gitlab

gitlab-10.5.0-ssh-authorized-keys
gitlab-13.5.0-gitlab-shell
gitlab-7.2.0-ssh-keygen
  3. Validate that the git-over-ssh works with both default installation and fast lookup
Edited by Robert Marshall

Merge request reports