-
Stan Hu authoredFor fast SSH key lookups to work (https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html), SELinux spawns `/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check` and needs the following access: * Read: /var/opt/gitlab/gitlab-shell/config.yml * Read: /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret * Write: /var/log/gitlab/gitlab-shell/gitlab-shell.log * Connect: unicorn (port 8080) Because the SELinux policy is a static policy, right now we don't support the ability to change internal unicorn ports. Admins would have to create a special .te file for the environment, or we'd have to dynamically generate it for them, which is it a bit tricky if they have changed their port contexts. Granting `http_cache_port_t` permissions also includes access to these ports: ``` http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 ``` Closes #2855
3eb184b5Stan Hu authoredFor fast SSH key lookups to work (https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html), SELinux spawns `/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check` and needs the following access: * Read: /var/opt/gitlab/gitlab-shell/config.yml * Read: /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret * Write: /var/log/gitlab/gitlab-shell/gitlab-shell.log * Connect: unicorn (port 8080) Because the SELinux policy is a static policy, right now we don't support the ability to change internal unicorn ports. Admins would have to create a special .te file for the environment, or we'd have to dynamically generate it for them, which is it a bit tricky if they have changed their port contexts. Granting `http_cache_port_t` permissions also includes access to these ports: ``` http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 ``` Closes #2855
To find the state of this project's repository at the time of any of these versions, check out the tags.
Loading