Add SELinux rules to make authorized_keys via DB work (!2229) · Merge requests · GitLab.org / omnibus-gitlab

Stan Hu requested to merge sh-selinux-authorized-keys-support into master Jan 19, 2018

For fast SSH key lookups to work (https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html), SELinux spawns /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check and needs the following access:

Read

/var/opt/gitlab/gitlab-shell/config.yml
/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret

Write

/var/log/gitlab/gitlab-shell/gitlab-shell.log

Connect

unicorn (port 8080)

Limitations

Because the SELinux policy is a static policy, right now we don't support the ability to change internal unicorn ports. Admins would have to create a special .te file for the environment, or we'd have to dynamically generate it for them, which is it a bit tricky if they have changed their port contexts.

Granting http_cache_port_t permissions also includes access to these ports:

http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130

Closes #2855 (closed)

Edited Nov 17, 2021 by GitLab Release Tools Bot

Add SELinux rules to make authorized_keys via DB work

Read

Write

Connect

Limitations

Merge request reports