Skip to content

Consolidate SELinux policy into one module

Robert Marshall requested to merge 7453-consolidate-selinux-policy into master

What does this MR do?

Consolidate SELinux policy into one module

- Create a single versioned SELinux policy module for GitLab similar to
  other policy module components.
- The first iteration of the consolidated policy is opt-in if the user
  sets `package['selinux_policy_version'] to anything other than nil.

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7453

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8235

Changelog: changed

Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

Related issues

Closes Migrate existing GitLab SELinux policies into n... (#7453 - closed) • Robert Marshall • 16.10 • On track

Closes Add command to switch between current and unifi... (#8235 - closed) • Robert Marshall • 16.10 • On track

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.

Testing

I tested with EL8. On AlmaLinux, the setools-console package provides the seinfo and sesearch commands.

With default settings

semodule -l|grep gitlab
gitlab-10.5.0-ssh-authorized-keys
gitlab-13.5.0-gitlab-shell
gitlab-7.2.0-ssh-keygen

With new policy

Set package['selinux_policy_version'] = "new" in gitlab.rb

semodule -l|grep gitlab
gitlab

Same under both sets of policy

seinfo -x --type=gitlab_shell_t

Types: 1
   type gitlab_shell_t, file_type;
sesearch -A |grep gitlab
allow gitlab_shell_t gitlab_shell_t:filesystem associate;
allow httpd_t gitlab_shell_t:sock_file { read write };
allow sshd_t gitlab_shell_t:file { getattr open read };
allow sshd_t gitlab_shell_t:sock_file write;
sesearch -A |grep http_cache_port|grep sshd_t
allow sshd_t http_cache_port_t:tcp_socket name_connect;
sesearch -A |grep var_log_t|grep sshd_t
allow sshd_t var_log_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow sshd_t var_log_t:file open;

Confirming function

  • Attempt to clone/push with ssh with both system sshd and gitlab-ssh.
  • Go back and forth between having package['selinux_policy_version'] = "new" or package['selinux_policy_version'] = nil set in gitlab.rb.
  • Test that removing the package['selinux_policy_version'] value in gitlab.rb functions the same as setting it to nil.
Edited by Robert Marshall

Merge request reports