Add selinux module for gitlab-shell

a77792ac · John Long · Robert Marshall · 12d1cf15 · a77792ac · a77792ac
Commit a77792ac authored 4 years ago by John Long Committed by Robert Marshall 4 years ago
--- a/files/gitlab-cookbooks/gitlab/recipes/selinux.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/selinux.rb
@@ -27,6 +27,12 @@ if RedhatHelper.system_is_rhel7? || RedhatHelper.system_is_rhel8?
    not_if "getenforce | grep Disabled"
    not_if "semodule -l | grep '^#{authorized_keys_module}\\s'"
  end
+  
+  gitlab_shell_module = 'gitlab-13.5.0-gitlab-shell'
+  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{gitlab_shell_module}.pp" do
+    not_if "getenforce | grep Disabled"
+    not_if "semodule -l | grep '^#{gitlab_shell_module}\\s'"
+  end
 end
  
 # If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the

--- a/files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp
+++ b/files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp
--- a/files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.te
+++ b/files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.te
+
+module gitlab-13.5.0-gitlab-shell 1.0;
+
+require {
+	type var_log_t;
+	type var_t;
+	type sshd_t;
+	class sock_file write;
+	class file create;
+}
+
+#============= sshd_t ==============
+allow sshd_t var_log_t:file create;
+
+#!!!! WARNING: 'var_t' is a base type.
+allow sshd_t var_t:sock_file write;