From f5acdddbd8b8c8e0c2d695c59ecc49b3f8ab5d81 Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Tue, 29 Jul 2014 11:22:55 +0200
Subject: [PATCH] Add information abou omnibus-gitlab and SELinux

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+), 0 deletions(-)

diff --git a/README.md b/README.md
index 24e8f12..28aafcd 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,13 @@ unicorn['port'] = 3456
 
 For Nginx port changes please see the section on enabling HTTPS below.
 
+#### Git SSH access stops working on SELinux-enabled systems
+
+On SELinux-enabled systems the git user's `.ssh` directory or its contents can
+get their security context messed up. You can fix this by running `sudo
+gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
+`/var/opt/gitlab/.ssh`.
+
 #### Reconfigure fails to create the git user
 
 This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.
@@ -486,6 +493,17 @@ Omnibus-gitlab uses four different directories.
 - `/var/log/gitlab` contains all log data generated by components of
   omnibus-gitlab.
 
+## Omnibus-gitlab and SELinux
+
+Although omnibus-gitlab runs on systems that have SELinux enabled, it does not
+use SELinux confinement features:
+- omnibus-gitlab creates unconfined system users;
+- omnibus-gitlab services run in an unconfined context.
+
+The correct operation of Git access via SSH depends on the labeling of
+`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
+`sudo gitlab-ctl reconfigure`.
+
 ## Logs
 
 ### Tail logs in a console on the server
--
libgit2 0.21.2