Generate SELinux policy module with package

- Compile the SELinux policy module files from the base type enforcement
  files during the package build
- The SELinux policy applies to more than RHEL 7, so move the type
  enforcement files out of the specific path for clarity

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8231
Signed-off-by: Robert Marshall <[email protected]>

Author: Robert Marshall

.gitlab-ci.yml

@@ -42,7 +42,7 @@ variables:
   # To be used for images that exist only on dev.gitlab.org
   DEV_BUILDER_IMAGE_REGISTRY: 'dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder'
   PUBLIC_BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
-  BUILDER_IMAGE_REVISION: "4.28.0"
+  BUILDER_IMAGE_REVISION: "4.30.0"
   # The registry to pull the assets image from
   ASSET_REGISTRY: "${CI_REGISTRY}"
   ASSET_SYNC_EXISTING_REMOTE_FILES: "keep"

config/projects/gitlab.rb

@@ -22,6 +22,7 @@
 require "#{Omnibus::Config.project_root}/lib/gitlab/util"
 require "#{Omnibus::Config.project_root}/lib/gitlab/ohai_helper.rb"
 require "#{Omnibus::Config.project_root}/lib/gitlab/openssl_helper"
+require "#{Omnibus::Config.project_root}/files/gitlab-cookbooks/package/libraries/helpers/selinux_distro_helper.rb"
 
 gitlab_package_name = Build::Info::Package.name
 gitlab_package_file = File.join(Omnibus::Config.project_dir, 'gitlab', "#{gitlab_package_name}.rb")
@@ -104,6 +105,7 @@
 end
 
 dependency 'cacerts'
+dependency 'gitlab-selinux' if SELinuxDistroHelper.selinux_supported?
 dependency 'redis'
 dependency 'nginx'
 dependency 'mixlib-log'
@@ -146,7 +148,7 @@
 dependency 'gitlab-psql'
 dependency 'gitlab-redis-cli'
 dependency 'gitlab-healthcheck'
-dependency 'gitlab-selinux'
+
 dependency 'gitlab-scripts'
 dependency 'gitlab-config-template'
 

config/software/gitlab-selinux.rb

@@ -25,6 +25,17 @@
 source path: File.expand_path('files/gitlab-selinux', Omnibus::Config.project_root)
 
 build do
+  policy_directory = File.expand_path('files/gitlab-selinux', Omnibus::Config.project_root)
+
+  # Only type enforcement (te) is provided in the current policy
+  Dir.glob("#{policy_directory}/*.te").each do |te_file|
+    mod_file = te_file.sub(/\.te$/, ".mod")
+    policy_file = te_file.sub(/\.te$/, ".pp")
+
+    command "checkmodule -M -m -o #{mod_file} #{te_file}", cwd: policy_directory
+    command "semodule_package -o #{policy_file} -m #{mod_file}", cwd: policy_directory
+  end
+
   mkdir "#{install_dir}/embedded/selinux"
-  sync './', "#{install_dir}/embedded/selinux/"
+  copy "#{policy_directory}/*.pp", "#{install_dir}/embedded/selinux"
 end

files/gitlab-cookbooks/gitlab/recipes/selinux.rb

@@ -17,19 +17,19 @@
 
 if SELinuxDistroHelper.selinux_supported?
   ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
-  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
+  execute "semodule -i /opt/gitlab/embedded/selinux/#{ssh_keygen_module}.pp" do
     not_if "getenforce | grep Disabled"
     not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'"
   end
 
   authorized_keys_module = 'gitlab-10.5.0-ssh-authorized-keys'
-  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{authorized_keys_module}.pp" do
+  execute "semodule -i /opt/gitlab/embedded/selinux/#{authorized_keys_module}.pp" do
     not_if "getenforce | grep Disabled"
     not_if "semodule -l | grep '^#{authorized_keys_module}\\s'"
   end
 
   gitlab_shell_module = 'gitlab-13.5.0-gitlab-shell'
-  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{gitlab_shell_module}.pp" do
+  execute "semodule -i /opt/gitlab/embedded/selinux/#{gitlab_shell_module}.pp" do
     not_if "getenforce | grep Disabled"
     not_if "semodule -l | grep '^#{gitlab_shell_module}\\s'"
   end