Commit 5b992246 authored by Stan Hu's avatar Stan Hu

Fix SELinux installation failures on Debian Stretch

Debian Stretch requires that pathnames be present when calling `restorecon`,
but this was not a requirement in CentOS 7. We fix this by moving all
SELinux-related changes to the gitlab::selinux recipe so that all the required
files and directories can be made before any SELinux changes are applied. This
makes sense from a code organization standpoint and also has the nice side
effect of removing the need to ignore unknown files (-i option in restorecon)
as well.

Closes #3337
parent b1f4734e
Pipeline #20464876 passed with stages
in 27 minutes and 36 seconds
......@@ -6,6 +6,7 @@ omnibus-gitlab repository.
10.8.0
- Upgrade Ruby version to 2.3.7
- Fix SELinux installation failures on Debian Stretch
- Bump git to 2.16.3
10.7.0
......
......@@ -26,9 +26,6 @@ authorized_keys = node['gitlab']['gitlab-shell']['auth_file']
log_directory = node['gitlab']['gitlab-shell']['log_directory']
gitlab_shell_keys_check = File.join(gitlab_shell_dir, 'bin/gitlab-keys')
gitlab_shell_config_file = File.join(gitlab_shell_var_dir, "config.yml")
gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
# Creates `.ssh` directory to hold authorized_keys
[
......@@ -98,20 +95,3 @@ execute "#{gitlab_shell_keys_check} check-permissions" do
user git_user
group git_group
end
# If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
# git_user is valid.
bash "Set proper security context on ssh files for selinux" do
code <<~EOS
semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'
semanage fcontext -a -t ssh_home_t '#{authorized_keys}'
semanage fcontext -a -t ssh_home_t '#{gitlab_shell_config_file}'
semanage fcontext -a -t ssh_home_t '#{gitlab_shell_secret_file}'
restorecon -R -v '#{ssh_dir}'
restorecon -v '#{authorized_keys}' '#{gitlab_shell_config_file}'
# On new installs, the gitlab_shell_secret file may not exist until the
# gitlab-rails recipe runs, so we can safely move along if the file doesn't exist.
restorecon -v -i '#{gitlab_shell_secret_file}'
EOS
only_if "id -Z"
end
......@@ -28,3 +28,26 @@ if RedhatHelper.system_is_rhel7?
not_if "semodule -l | grep '^#{authorized_keys_module}\\s'"
end
end
ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
authorized_keys = node['gitlab']['gitlab-shell']['auth_file']
gitlab_shell_var_dir = node['gitlab']['gitlab-shell']['dir']
gitlab_shell_config_file = File.join(gitlab_shell_var_dir, "config.yml")
gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
# If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
# git_user is valid.
bash "Set proper security context on ssh files for selinux" do
code <<~EOS
semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'
semanage fcontext -a -t ssh_home_t '#{authorized_keys}'
semanage fcontext -a -t ssh_home_t '#{gitlab_shell_config_file}'
semanage fcontext -a -t ssh_home_t '#{gitlab_shell_secret_file}'
restorecon -R -v '#{ssh_dir}'
restorecon -v '#{authorized_keys}' '#{gitlab_shell_config_file}'
restorecon -v '#{gitlab_shell_secret_file}'
EOS
only_if "id -Z"
end
......@@ -21,42 +21,6 @@ describe 'gitlab::gitlab-shell' do
expect(chef_run.node['gitlab']['gitlab-shell']['auth_file']).to eq('/tmp/authorized_keys')
end
context 'when NOT running on selinux' do
before { stub_command('id -Z').and_return(false) }
it 'should not run the semanage bash command' do
expect(chef_run).not_to run_bash('Set proper security context on ssh files for selinux')
end
end
context 'when running on selinux' do
before { stub_command('id -Z').and_return('') }
let(:bash_block) { chef_run.bash('Set proper security context on ssh files for selinux') }
def semanage_fcontext(filename)
"semanage fcontext -a -t ssh_home_t '#{filename}'"
end
it 'should run the semanage bash command' do
expect(chef_run).to run_bash('Set proper security context on ssh files for selinux')
end
it 'sets the security context of gitlab-shell files' do
lines = bash_block.code.split("\n")
files = %w(/var/opt/gitlab/.ssh(/.*)?
/var/opt/gitlab/.ssh/authorized_keys
/var/opt/gitlab/gitlab-shell/config.yml
/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret)
managed_files = files.map { |file| semanage_fcontext(file) }
expect(lines).to include(*managed_files)
expect(lines).to include("restorecon -R -v '/var/opt/gitlab/.ssh'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/.ssh/authorized_keys' '/var/opt/gitlab/gitlab-shell/config.yml'")
expect(lines).to include("restorecon -v -i '/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret'")
end
end
context 'with default settings' do
it 'populates the default values' do
expect(chef_run).to render_file('/var/opt/gitlab/gitlab-shell/config.yml')
......
require 'chef_helper'
describe 'gitlab::gitlab-selinux' do
let(:chef_run) { ChefSpec::SoloRunner.new(step_into: %w(templatesymlink storage_directory)).converge('gitlab::default') }
before do
allow(Gitlab).to receive(:[]).and_call_original
end
context 'when NOT running on selinux' do
before { stub_command('id -Z').and_return(false) }
it 'should not run the semanage bash command' do
expect(chef_run).not_to run_bash('Set proper security context on ssh files for selinux')
end
end
context 'when running on selinux' do
before { stub_command('id -Z').and_return('') }
let(:bash_block) { chef_run.bash('Set proper security context on ssh files for selinux') }
def semanage_fcontext(filename)
"semanage fcontext -a -t ssh_home_t '#{filename}'"
end
it 'should run the semanage bash command' do
expect(chef_run).to run_bash('Set proper security context on ssh files for selinux')
end
it 'sets the security context of gitlab-shell files' do
lines = bash_block.code.split("\n")
files = %w(/var/opt/gitlab/.ssh(/.*)?
/var/opt/gitlab/.ssh/authorized_keys
/var/opt/gitlab/gitlab-shell/config.yml
/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret)
managed_files = files.map { |file| semanage_fcontext(file) }
expect(lines).to include(*managed_files)
expect(lines).to include("restorecon -R -v '/var/opt/gitlab/.ssh'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/.ssh/authorized_keys' '/var/opt/gitlab/gitlab-shell/config.yml'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret'")
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment