Installed gitlab-ee-14.7.2-ee.0.el8.x86_64 on Rocky Linux 8 with latest updates.
When SELinux is in Enforcing mode, then I am not able to git clone, in client I see this error:
remote: Internal API unreachable
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
git did not exit cleanly (exit code 128)
audit2allow -a -l -w
type=AVC msg=audit(1644425667.730:600): avc: denied { open } for pid=69734 comm="gitlab-shell" path="/var/log/gitlab/gitlab-shell/gitlab-shell.log" dev="dm-0" ino=193346642 scontext=user_u:user_r:user_t:s0 tcontext=staff_u:object_r:var_log_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1644425667.732:601): avc: denied { write } for pid=69734 comm="gitlab-shell" name="socket" dev="dm-0" ino=8852552 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
audit2allow -a -l -m gitlab-custom
module gitlab-custom 1.0;
require {
type var_log_t;
type var_t;
type user_t;
class file open;
class sock_file write;
}
#============= user_t ==============
allow user_t var_log_t:file open;
allow user_t var_t:sock_file write;
Btw it works when I switch SELinux to permissive mode.
It is not problem to create SELinux module this way, but allowing user_t opening logs is not good idea from security perspective. Better will be to create new dedidated domain for gitlab-shell and it’s logs, add required permissions for it, and relabel gitlab-shell executable and it’s logs.
I am wondering why such SELinux policy is not part of gitlab-ee rpm package for el/8, or if there is anyone running gitlab-ee on Rocky Linux 8 with working gitlab with SELinux enabled out-of-the box (in that case may be there is something specific for our installation).
final version of somehow better (than just allowing something for user_t) SELinux policy:
gitlab-custom.te
policy_module(gitlab-custom,1.0.2)
# macros are defined under /usr/share/selinux/devel/include/
gen_require(`
type var_t;
type sysfs_t;
')
type gitlab_shell_t;
type gitlab_shell_exec_t;
application_domain(gitlab_shell_t, gitlab_shell_exec_t)
type gitlab_shell_log_t;
logging_log_file(gitlab_shell_log_t)
append_files_pattern(gitlab_shell_t, gitlab_shell_log_t, gitlab_shell_log_t)
dev_read_sysfs(gitlab_shell_t)
allow gitlab_shell_t var_t:file { getattr open read };
allow gitlab_shell_t var_t:sock_file write;
optional_policy(`
gitlab_shell_role(user_r, user_t)
')
interface(`gitlab_shell_role',`
gen_require(`
role $1;
type $2;
type gitlab_shell_t, gitlab_shell_exec_t;
')
role $1 types gitlab_shell_t;
domtrans_pattern($2, gitlab_shell_exec_t, gitlab_shell_t)
ps_process_pattern($2, gitlab_shell_t)
')
then execute:
make -f /usr/share/selinux/devel/Makefile
semodule -i gitlab-custom.pp
make -f /usr/share/selinux/devel/Makefile clean
restorecon -v -F /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
restorecon -R -v -F /var/log/gitlab/gitlab-shell