Merge branch 'gitlab-contrib/omnibus-gitlab-1485-include-policycoreutils-semanage'
MR: https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/1886
This commit is contained in:
commit
45abda5f4d
|
@ -5,6 +5,7 @@ omnibus-gitlab repository.
|
|||
|
||||
10.0.0
|
||||
|
||||
- Use semanage instead of chcon for setting SELinux security contexts (Elliot Wright)
|
||||
- Add option to override the hostname for remote syslog
|
||||
- Add backup_timeout argument to geo db replication command
|
||||
- Remove sensitive params from the NGINX access logs 6983fe59
|
||||
|
|
|
@ -66,6 +66,8 @@ else
|
|||
runtime_dependency 'openssh-server'
|
||||
end
|
||||
|
||||
runtime_dependency 'policycoreutils-python' if rhel?
|
||||
|
||||
# creates required build directories
|
||||
dependency 'preparation'
|
||||
dependency 'package-scripts'
|
||||
|
|
|
@ -99,7 +99,7 @@ To troubleshoot this error:
|
|||
```
|
||||
$ sudo systemctl restart gitlab-runsvdir
|
||||
```
|
||||
|
||||
|
||||
Using upstart (Ubuntu <= 14.04):
|
||||
|
||||
```
|
||||
|
@ -162,9 +162,14 @@ For Nginx port changes please see [settings/nginx.md](../settings/nginx.md).
|
|||
|
||||
On SELinux-enabled systems the git user's `.ssh` directory or its contents can
|
||||
get their security context messed up. You can fix this by running `sudo
|
||||
gitlab-ctl reconfigure`, which will run a `chcon --recursive` command on
|
||||
gitlab-ctl reconfigure`, which will set the `ssh_home_t` security context on
|
||||
`/var/opt/gitlab/.ssh`.
|
||||
|
||||
In GitLab 10.0 this behavior was improved by setting the context permanently using
|
||||
`semanage`. The runtime dependency `policycoreutils-python` has been added to the
|
||||
RPM package for RHEL based operating systems in order to ensure the `semanage`
|
||||
command is available.
|
||||
|
||||
#### All systems
|
||||
|
||||
The git user is created, by default, with a locked password, shown by `'!'` in
|
||||
|
@ -206,7 +211,7 @@ Run `sudo gitlab-ctl reconfigure` for the change to take effect.
|
|||
### Postgres error 'FATAL: could not open shared memory segment "/PostgreSQL.XXXXXXXXXX": Permission denied'
|
||||
By default, Postgres will try to detect the shared memory type to use. If you don't
|
||||
have shared memory enabled, you might see this error in `/var/log/gitlab/postgresql/current`.
|
||||
To fix this, you can disable postgresql's shared memory detection. Set the
|
||||
To fix this, you can disable postgresql's shared memory detection. Set the
|
||||
following value in `/etc/gitlab/gitlab.rb`:
|
||||
|
||||
```ruby
|
||||
|
|
|
@ -121,8 +121,10 @@ end
|
|||
# git_user is valid.
|
||||
bash "Set proper security context on ssh files for selinux" do
|
||||
code <<-EOS
|
||||
chcon --recursive --type ssh_home_t #{ssh_dir}
|
||||
chcon --type sshd_key_t #{authorized_keys}
|
||||
semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'
|
||||
semanage fcontext -a -t ssh_home_t '#{authorized_keys}'
|
||||
restorecon -R -v '#{ssh_dir}'
|
||||
restorecon -v '#{authorized_keys}'
|
||||
EOS
|
||||
only_if "id -Z"
|
||||
end
|
||||
|
|
|
@ -14,7 +14,7 @@ describe 'gitlab::gitlab-shell' do
|
|||
context 'when NOT running on selinux' do
|
||||
before { stub_command('id -Z').and_return(false) }
|
||||
|
||||
it 'should not run the chcon bash command' do
|
||||
it 'should not run the semanage bash command' do
|
||||
expect(chef_run).not_to run_bash('Set proper security context on ssh files for selinux')
|
||||
end
|
||||
end
|
||||
|
@ -22,7 +22,7 @@ describe 'gitlab::gitlab-shell' do
|
|||
context 'when running on selinux' do
|
||||
before { stub_command('id -Z').and_return('') }
|
||||
|
||||
it 'should run the chcon bash command' do
|
||||
it 'should run the semanage bash command' do
|
||||
expect(chef_run).to run_bash('Set proper security context on ssh files for selinux')
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue