Merge branch 'doc/selinux' into 'master'

Add information about omnibus-gitlab and SELinux See merge request !173

Merge branch 'doc/selinux' into 'master'
Add information about omnibus-gitlab and SELinux See merge request !173
Jacob Vosmaer
2 parents b43ecf41 f5acdddb
Showing 1 changed file with 18 additions and 0 deletions Show diff stats
README.md
@@ -84,6 +84,13 @@ unicorn[&#39;port&#39;] = 3456
 For Nginx port changes please see the section on enabling HTTPS below.
+#### Git SSH access stops working on SELinux-enabled systems
+
+On SELinux-enabled systems the git user's `.ssh` directory or its contents can
+get their security context messed up. You can fix this by running `sudo
+gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
+`/var/opt/gitlab/.ssh`.
+
 #### Reconfigure fails to create the git user
 This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.
@@ -521,6 +528,17 @@ Omnibus-gitlab uses four different directories.
 - `/var/log/gitlab` contains all log data generated by components of
   omnibus-gitlab.
+## Omnibus-gitlab and SELinux
+
+Although omnibus-gitlab runs on systems that have SELinux enabled, it does not
+use SELinux confinement features:
+- omnibus-gitlab creates unconfined system users;
+- omnibus-gitlab services run in an unconfined context.
+
+The correct operation of Git access via SSH depends on the labeling of
+`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
+`sudo gitlab-ctl reconfigure`.
+
 ## Logs
 ### Tail logs in a console on the server
	@@ -84,6 +84,13 @@ unicorn['port'] = 3456		@@ -84,6 +84,13 @@ unicorn['port'] = 3456
84		84
85	For Nginx port changes please see the section on enabling HTTPS below.	85	For Nginx port changes please see the section on enabling HTTPS below.
86		86
		87	+#### Git SSH access stops working on SELinux-enabled systems
		88	+
		89	+On SELinux-enabled systems the git user's `.ssh` directory or its contents can
		90	+get their security context messed up. You can fix this by running `sudo
		91	+gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
		92	+`/var/opt/gitlab/.ssh`.
		93	+
87	#### Reconfigure fails to create the git user	94	#### Reconfigure fails to create the git user
88		95
89	This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.	96	This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.
	@@ -521,6 +528,17 @@ Omnibus-gitlab uses four different directories.		@@ -521,6 +528,17 @@ Omnibus-gitlab uses four different directories.
521	- `/var/log/gitlab` contains all log data generated by components of	528	- `/var/log/gitlab` contains all log data generated by components of
522	omnibus-gitlab.	529	omnibus-gitlab.
523		530
		531	+## Omnibus-gitlab and SELinux
		532	+
		533	+Although omnibus-gitlab runs on systems that have SELinux enabled, it does not
		534	+use SELinux confinement features:
		535	+- omnibus-gitlab creates unconfined system users;
		536	+- omnibus-gitlab services run in an unconfined context.
		537	+
		538	+The correct operation of Git access via SSH depends on the labeling of
		539	+`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
		540	+`sudo gitlab-ctl reconfigure`.
		541	+
524	## Logs	542	## Logs
525		543
526	### Tail logs in a console on the server	544	### Tail logs in a console on the server