Gitlab ee selinux errors on RHEL8 when ssh key based pull

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

selinux denial of sshd reading config.yml (using gitlab-shell-authorized-keys-check) on RHEL8 with ee-16.7.2 (failures started post 16.7.0 upgrade).

Steps to reproduce

git pull fails for users when using ssh key for auth

Example Project

n/a

What is the current bug behavior?

selinux denies sshd (gitlab-shell-authorized-keys-check) to open shell's config.yml Note that this works as expected when selinux is set to permissive mode.

What is the expected correct behavior?

gitlab's selinux policy should allow config.yml to be opened by gitlab-shell-authorized-keys-check when invoked by sshd

Relevant logs and/or screenshots

From audit.log:

type=AVC msg=audit(1705027202.126:212304): avc:  denied  { read } for  pid=9578 comm="gitlab-shell-au" name="config.yml" dev="dm-1" ino=240541790 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1705027202.126:212304): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c00003aa80 a2=80000 a3=0 items=1 ppid=9576 pid=9578 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="gitlab-shell-au" exe="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="git" GID="git" EUID="git" SUID="git" FSUID="git" EGID="git" SGID="git" FSGID="git"
type=CWD msg=audit(1705027202.126:212304): cwd="/"
type=PATH msg=audit(1705027202.126:212304): item=0 name="/opt/gitlab/embedded/service/gitlab-shell/config.yml" inode=240541790 dev=fd:01 mode=0100640 ouid=0 ogid=989 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="git"

Output of checks

n/a

Results of GitLab environment info

gitlab rake info:

System information
System:         RedHatEnterprise 8.9
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   3.1.4p223
Gem Version:    3.4.22
Bundler Version:2.4.22
Rake Version:   13.0.6
Redis Version:  7.0.14
Sidekiq Version:6.5.12
Go Version:     unknown

GitLab information
Version:        16.7.2-ee
Revision:       847f5d82ad6
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     13.12
URL:            https://redacted
HTTP Clone URL: https://redacted/some-group/some-project.git
SSH Clone URL:  git@redacted:some-group/some-project.git
Elasticsearch:  yes
Geo:            yes
Geo node:       Primary
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        14.32.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      16.7.2
- default Git Version:  2.42.0

Results of GitLab application Check

gitlab health shows as fine.

Possible fixes

Edited Jul 16, 2025 by 🤖 GitLab Bot 🤖