Add information abou omnibus-gitlab and SELinux

Jacob Vosmaer
1 parent f5716057
Showing 1 changed file with 18 additions and 0 deletions Show diff stats
README.md
@@ -64,6 +64,13 @@ unicorn[&#39;port&#39;] = 3456
 For Nginx port changes please see the section on enabling HTTPS below.
+#### Git SSH access stops working on SELinux-enabled systems
+
+On SELinux-enabled systems the git user's `.ssh` directory or its contents can
+get their security context messed up. You can fix this by running `sudo
+gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
+`/var/opt/gitlab/.ssh`.
+
 #### Reconfigure fails to create the git user
 This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.
@@ -486,6 +493,17 @@ Omnibus-gitlab uses four different directories.
 - `/var/log/gitlab` contains all log data generated by components of
   omnibus-gitlab.
+## Omnibus-gitlab and SELinux
+
+Although omnibus-gitlab runs on systems that have SELinux enabled, it does not
+use SELinux confinement features:
+- omnibus-gitlab creates unconfined system users;
+- omnibus-gitlab services run in an unconfined context.
+
+The correct operation of Git access via SSH depends on the labeling of
+`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
+`sudo gitlab-ctl reconfigure`.
+
 ## Logs
 ### Tail logs in a console on the server
	@@ -64,6 +64,13 @@ unicorn['port'] = 3456		@@ -64,6 +64,13 @@ unicorn['port'] = 3456
64		64
65	For Nginx port changes please see the section on enabling HTTPS below.	65	For Nginx port changes please see the section on enabling HTTPS below.
66		66
		67	+#### Git SSH access stops working on SELinux-enabled systems
		68	+
		69	+On SELinux-enabled systems the git user's `.ssh` directory or its contents can
		70	+get their security context messed up. You can fix this by running `sudo
		71	+gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
		72	+`/var/opt/gitlab/.ssh`.
		73	+
67	#### Reconfigure fails to create the git user	74	#### Reconfigure fails to create the git user
68		75
69	This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.	76	This can happen if you run `sudo gitlab-ctl reconfigure` as the git user.
	@@ -486,6 +493,17 @@ Omnibus-gitlab uses four different directories.		@@ -486,6 +493,17 @@ Omnibus-gitlab uses four different directories.
486	- `/var/log/gitlab` contains all log data generated by components of	493	- `/var/log/gitlab` contains all log data generated by components of
487	omnibus-gitlab.	494	omnibus-gitlab.
488		495
		496	+## Omnibus-gitlab and SELinux
		497	+
		498	+Although omnibus-gitlab runs on systems that have SELinux enabled, it does not
		499	+use SELinux confinement features:
		500	+- omnibus-gitlab creates unconfined system users;
		501	+- omnibus-gitlab services run in an unconfined context.
		502	+
		503	+The correct operation of Git access via SSH depends on the labeling of
		504	+`/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
		505	+`sudo gitlab-ctl reconfigure`.
		506	+
489	## Logs	507	## Logs
490		508
491	### Tail logs in a console on the server	509	### Tail logs in a console on the server