Commit 2609251213bcb58510c4ea485a6c89f8f3d0b06c
Exists in
master
and in
2 other branches
Merge branch 'doc/selinux' into 'master'
Add information about omnibus-gitlab and SELinux See merge request !173
Showing
1 changed file
with
18 additions
and
0 deletions
Show diff stats
README.md
| ... | ... | @@ -84,6 +84,13 @@ unicorn['port'] = 3456 |
| 84 | 84 | |
| 85 | 85 | For Nginx port changes please see the section on enabling HTTPS below. |
| 86 | 86 | |
| 87 | +#### Git SSH access stops working on SELinux-enabled systems | |
| 88 | + | |
| 89 | +On SELinux-enabled systems the git user's `.ssh` directory or its contents can | |
| 90 | +get their security context messed up. You can fix this by running `sudo | |
| 91 | +gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on | |
| 92 | +`/var/opt/gitlab/.ssh`. | |
| 93 | + | |
| 87 | 94 | #### Reconfigure fails to create the git user |
| 88 | 95 | |
| 89 | 96 | This can happen if you run `sudo gitlab-ctl reconfigure` as the git user. |
| ... | ... | @@ -521,6 +528,17 @@ Omnibus-gitlab uses four different directories. |
| 521 | 528 | - `/var/log/gitlab` contains all log data generated by components of |
| 522 | 529 | omnibus-gitlab. |
| 523 | 530 | |
| 531 | +## Omnibus-gitlab and SELinux | |
| 532 | + | |
| 533 | +Although omnibus-gitlab runs on systems that have SELinux enabled, it does not | |
| 534 | +use SELinux confinement features: | |
| 535 | +- omnibus-gitlab creates unconfined system users; | |
| 536 | +- omnibus-gitlab services run in an unconfined context. | |
| 537 | + | |
| 538 | +The correct operation of Git access via SSH depends on the labeling of | |
| 539 | +`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running | |
| 540 | +`sudo gitlab-ctl reconfigure`. | |
| 541 | + | |
| 524 | 542 | ## Logs |
| 525 | 543 | |
| 526 | 544 | ### Tail logs in a console on the server | ... | ... |