sshd access to git user's authorized_keys file blocked by selinux on CentOS Stream 8
Summary
When attempting to perform git operations over SSH requests will fail due to new selinux
restrictions present in CentOS Stream 8. sshd
is blocked from accessing /var/opt/gitlab/.ssh/authorized_keys
, causing the request to fail.
No permission denied message is logged in /var/log/secure
, just that the client closed the connection. No events are written to /var/log/gitlab/gitlab-shell/gitlab-shell.log
as shell is never executed.
/var/log/audit/audit.log
does capture the denial.
# ls -laZ /var/opt/gitlab/.ssh/authorized_keys
-rw-------. 1 git git unconfined_u:object_r:var_t:s0 0 Sep 10 15:52 /var/opt/gitlab/.ssh/authorized_keys
Steps to reproduce
- Setup a fresh CentOS Stream 8 instance on GCP with image
centos-stream-8-v20210817
- Install GitLab and set external URL
- Add SSH key to user profile
- Perform a git operation over SSH, request fails
What is the current bug behavior?
All SSH requests for the git
user fail.
What is the expected correct behavior?
SSH requests succeed.
Relevant logs
Relevant logs
/var/log/audit/audit.log
:type=AVC msg=audit(1631289915.888:183): avc: denied { read } for pid=52962 comm="sshd" name="authorized_keys" dev="sda2" ino=20088759 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Details of package version
Provide the package version installation details
gitlab-ee-14.2.3-ee.0.el8.x86_64
Environment details
- Operating System:
CentOS Stream 8
- Installation Target, remove incorrect values:
- VM: GCP
- Installation Type, remove incorrect values:
- New Installation
- Is there any other software running on the machine: None
- Is this a single or multiple node installation? Single
- Resources
- CPU:
2
- Memory total:
8 GB
- CPU:
Configuration details
Provide the relevant sections of `/etc/gitlab/gitlab.rb`
external_url 'http://<INSTANCE_IP>'
Edited by Will Chandler (ex-GitLab)