Authorized keys database lookup SELinux failure

Summary

SELinux denies access to authorized_keys when configured following docs at: https://docs.gitlab.com/ee/administration/operations/speed_up_ssh.html

Steps to reproduce

  1. Make sure SELinux is enabled with setenforce 1.
  2. Follow steps in https://docs.gitlab.com/ee/administration/operations/speed_up_ssh.html
  3. Add new public key under user settings
  4. Try to log in - will be prompted for password.
  5. Check /var/log/secure, will see the SSH AuthorizedKeysCommand error.
  6. Can find denial under /var/log/audit/audit.log, see output below.

What is the current bug behavior?

SSH prompts for password

What is the expected correct behavior?

Passwordless login

Relevant logs and/or screenshots

/var/log/audit/audit.log:

type=AVC msg=audit(1507247173.392:822): avc:  denied  { read } for  pid=9789 comm="authorized_keys" name="config.yml" dev="dm-0" ino=67996613 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

/var/log/secure:

sshd[10699]: error: AuthorizedKeysCommand exec "/opt/gitlab-shell/authorized_keys git ....

Possible fixes

Not sure whether this should be a documentation update at https://docs.gitlab.com/ee/administration/operations/speed_up_ssh.html or whether it should be correctly labeled during reconfigure of Omnibus.

Edited by Nick Thomas