Selinux - fast key lookup broken in 13.4 on RHEL 7
Summary
After upgrading to 13.4.1 (13.4.2 too) from 13.3.X on CentOS/RHEL 7 with selinux enforcing all git-over-ssh operations are broken:
$ git pull
...
git@XXX: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Steps to reproduce
- create a test system with RHEL 7 / CentOS 7
- ensure SELinux is in enforcing mode via
setenforce 1
and checking sestatus - install gitlab
- enable fast ssh key lookup, my sshd config looks like this:
...
Match User git
Banner none
AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
AuthorizedKeysCommandUser git
AuthorizedKeysFile none
GSSAPIAuthentication no
PasswordAuthentication no
- create a test user with ssh key, create some test repository
- try to clone the repository via ssh url
- observe the
/var/log/audit/audit.log
, you will see following
type=AVC msg=audit(1601621707.838:353683): avc: denied { write } for pid=20580 comm="gitlab-shell-au" name="socket" dev="dm-0" ino=1966123 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
What is the current bug behavior?
all git operations via ssh are broken
What is the expected correct behavior?
all git operations via ssh should work
Relevant logs
Relevant logs
/var/log/audit/audit.logtype=AVC msg=audit(1601621707.838:353683): avc: denied { write } for pid=20580 comm="gitlab-shell-au" name="socket" dev="dm-0" ino=1966123 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=sock_file permissive=0
Details of package version
Provide the package version installation details
gitlab-ce-13.4.2-ce.0.el7.x86_64
Environment details
- Operating System:
CentOS Linux release 7.8.2003
- Installation Target, remove incorrect values:
- Other: on-premise VM
- Installation Type, remove incorrect values:
- Upgrade from version
13.3.6
- Upgrade from version
- Is this a single or multiple node installation? single
- Resources
- CPU: 4 cores
- Memory total: 32GB