Change package file

files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb

@@ -8,24 +8,26 @@ class SELinuxHelper
       gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
       gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
       gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
+      gitlab_workhorse_sock = '/var/opt/gitlab/gitlab-workhorse/socket'
       # If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
       # git_user is valid.
       selinux_code = []
       if File.exist?(ssh_dir)
-        selinux_code << "semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'"
+        selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{ssh_dir}(/.*)?'"
         selinux_code << "restorecon -R -v '#{ssh_dir}'"
       end
       [
         authorized_keys,
         gitlab_shell_config_file,
-        gitlab_shell_secret_file
+        gitlab_shell_secret_file,
+        gitlab_workhorse_sock
       ].each do |file|
         next unless File.exist?(file)
-        selinux_code << "semanage fcontext -a -t ssh_home_t '#{file}'"
+        selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{file}'"
         selinux_code << "restorecon -v '#{file}'"
       end

files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.te

 module gitlab-13.5.0-gitlab-shell 1.0;
+type gitlab_shell_t;
+
 require {
-	type var_log_t;
-	type var_t;
-	type sshd_t;
-	class sock_file write;
-	class file create;
+    type sshd_t;
+    attribute file_type;
+    class sock_file write;
+    class file { open read getattr };
 }
-#============= sshd_t ==============
-allow sshd_t var_log_t:file create;
-
-#!!!! WARNING: 'var_t' is a base type.
-allow sshd_t var_t:sock_file write;
+typeattribute gitlab_shell_t file_type;
+allow sshd_t gitlab_shell_t:file read;
+allow sshd_t gitlab_shell_t:file open;
+allow sshd_t gitlab_shell_t:file getattr;
+allow sshd_t gitlab_shell_t:sock_file write;