install and reconfigure fail with selinux enforcing on Amazon Linux
Summary
Omnibus install fails to completely install with seLinux errors.
Steps to reproduce
- Deploy Amazon Linux EC2 instance, 5.10 kernel
- Set selinux to enforcing (edit config) and reboot
- Setup the Omnibus repo + dnf install gitlab-ee
- redis and workhorse are not functional
Example Project
What is the current bug behavior?
Install and reconfigure show context failures, and omnibus-gitlab is not functional
What is the expected correct behavior?
Contexts are set correctly.
Relevant logs and/or screenshots
2022-09-27T20:07:25+00:00] INFO: execute[reload all sysctl conf] ran successfully
- execute sysctl -e --system
[2022-09-27T20:07:25+00:00] INFO: directory[/var/opt/gitlab/gitlab-workhorse/sockets] sending restart action to runit_service[gitlab-workhorse] (delayed)
Recipe: gitlab::gitlab-workhorse
* runit_service[gitlab-workhorse] action restart (up to date)
[2022-09-27T20:07:25+00:00] INFO: template[/var/opt/gitlab/gitlab-workhorse/config.toml] sending run action to bash[Set proper security context on ssh files for selinux] (delayed)
Recipe: gitlab::selinux
* bash[Set proper security context on ssh files for selinux] action run
[execute] ValueError: Type gitlab_shell_t is invalid, must be a file or device type
ValueError: Type gitlab_shell_t is invalid, must be a file or device type
ValueError: Type gitlab_shell_t is invalid, must be a file or device type
ValueError: Type gitlab_shell_t is invalid, must be a file or device type
ValueError: Type gitlab_shell_t is invalid, must be a file or device type
[2022-09-27T20:07:28+00:00] INFO: bash[Set proper security context on ssh files for selinux] ran successfully
- execute "bash"
Output of checks
Results of GitLab environment info
[ec2-user@ip-172-31-95-31 ~]$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Expand for output related to GitLab environment info
``` System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.6 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.7 Sidekiq Version:6.4.2 Go Version: unknown GitLab information Version: 15.4.0-ee Revision: abbda55531f Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.6 URL: http://gltest.digitalboy.net HTTP Clone URL: http://gltest.digitalboy.net/some-group/some-project.git SSH Clone URL: git@gltest.digitalboy.net:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.10.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell ``` (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Disable selinux by setting selinux=disabled
Edited by Nathan Black