Fail reconfigure if SELinux commands cannot be run

Stan Hurequested to merge
sh-selinux-fail-fast into master

What does this MR do?

Previously if SELinux commands did not succeed, the gitlab-ctl reconfigure step continued without flagging an issue. This made it appear as though RHEL 10 worked fine, but GitLab did not properly configure the SELinux policy. This occurred because RHEL 10 was not actually supported in the SELinuxDistroHelper.selinux_supported? check.

Add a set -e to the bash script to fail if the SELinux policy cannot be configured.

Related issues

Relates to #9471 (closed)

How to test locally

Install GitLab on a RHEL Linux 10 installation. On 18.6.1, gitlab-ctl reconfigure will show:

[2025-12-05T01:47:23+00:00] INFO: templatesymlink[Create a gitlab_shell_secret and create a symlink to Rails root] sending run action to bash[Set proper security context on ssh files for selinux] (delayed)
Recipe: gitlab::selinux
  * bash[Set proper security context on ssh files for selinux] action run
    [execute] ValueError: Type gitlab_shell_t is invalid, must be a file or device type
              ValueError: Type gitlab_shell_t is invalid, must be a file or device type
              ValueError: Type gitlab_shell_t is invalid, must be a file or device type
              ValueError: Type gitlab_shell_t is invalid, must be a file or device type
              ValueError: Type gitlab_shell_t is invalid, must be a file or device type
[2025-12-05T01:47:26+00:00] INFO: bash[Set proper security context on ssh files for selinux] ran successfully
    - execute "bash"

But semodule -l | grep gitlab will show nothing.

Now with this package, the installation on a SELinux-enabled system will fail until !8954 (merged) is merged.

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Stan Hu

Merge request reports