Skip to content

Selinux - fast key lookup broken in 13.4 on RHEL 7

Summary

After upgrading to 13.4.1 (13.4.2 too) from 13.3.X on CentOS/RHEL 7 with selinux enforcing all git-over-ssh operations are broken:

$ git pull
...
git@XXX: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Steps to reproduce

  1. create a test system with RHEL 7 / CentOS 7
  2. ensure SELinux is in enforcing mode via setenforce 1 and checking sestatus
  3. install gitlab
  4. enable fast ssh key lookup, my sshd config looks like this:
...
Match User git
  Banner none
  AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
  AuthorizedKeysCommandUser git
  AuthorizedKeysFile none
  GSSAPIAuthentication no
  PasswordAuthentication no
  1. create a test user with ssh key, create some test repository
  2. try to clone the repository via ssh url
  3. observe the /var/log/audit/audit.log, you will see following
type=AVC msg=audit(1601621707.838:353683): avc:  denied  { write } for  pid=20580 comm="gitlab-shell-au" name="socket" dev="dm-0" ino=1966123 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0

What is the current bug behavior?

all git operations via ssh are broken

What is the expected correct behavior?

all git operations via ssh should work

Relevant logs

Relevant logs 
/var/log/audit/audit.log

type=AVC msg=audit(1601621707.838:353683): avc:  denied  { write } for  pid=20580 comm="gitlab-shell-au" name="socket" dev="dm-0" ino=1966123 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0

Details of package version

Provide the package version installation details 
gitlab-ce-13.4.2-ce.0.el7.x86_64

Environment details

  • Operating System: CentOS Linux release 7.8.2003
  • Installation Target, remove incorrect values:
    • Other: on-premise VM
  • Installation Type, remove incorrect values:
    • Upgrade from version 13.3.6
  • Is this a single or multiple node installation? single
  • Resources
    • CPU: 4 cores
    • Memory total: 32GB