Commit f5acdddbd8b8c8e0c2d695c59ecc49b3f8ab5d81
1 parent
f5716057
Exists in
master
and in
2 other branches
Add information abou omnibus-gitlab and SELinux
Showing
1 changed file
with
18 additions
and
0 deletions
Show diff stats
README.md
| ... | ... | @@ -64,6 +64,13 @@ unicorn['port'] = 3456 |
| 64 | 64 | |
| 65 | 65 | For Nginx port changes please see the section on enabling HTTPS below. |
| 66 | 66 | |
| 67 | +#### Git SSH access stops working on SELinux-enabled systems | |
| 68 | + | |
| 69 | +On SELinux-enabled systems the git user's `.ssh` directory or its contents can | |
| 70 | +get their security context messed up. You can fix this by running `sudo | |
| 71 | +gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on | |
| 72 | +`/var/opt/gitlab/.ssh`. | |
| 73 | + | |
| 67 | 74 | #### Reconfigure fails to create the git user |
| 68 | 75 | |
| 69 | 76 | This can happen if you run `sudo gitlab-ctl reconfigure` as the git user. |
| ... | ... | @@ -486,6 +493,17 @@ Omnibus-gitlab uses four different directories. |
| 486 | 493 | - `/var/log/gitlab` contains all log data generated by components of |
| 487 | 494 | omnibus-gitlab. |
| 488 | 495 | |
| 496 | +## Omnibus-gitlab and SELinux | |
| 497 | + | |
| 498 | +Although omnibus-gitlab runs on systems that have SELinux enabled, it does not | |
| 499 | +use SELinux confinement features: | |
| 500 | +- omnibus-gitlab creates unconfined system users; | |
| 501 | +- omnibus-gitlab services run in an unconfined context. | |
| 502 | + | |
| 503 | +The correct operation of Git access via SSH depends on the labeling of | |
| 504 | +`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running | |
| 505 | +`sudo gitlab-ctl reconfigure`. | |
| 506 | + | |
| 489 | 507 | ## Logs |
| 490 | 508 | |
| 491 | 509 | ### Tail logs in a console on the server | ... | ... |