Add SELinux rules to make authorized_keys via DB work
For fast SSH key lookups to work (https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html), SELinux spawns /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check
and needs the following access:
Read
- /var/opt/gitlab/gitlab-shell/config.yml
- /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
Write
- /var/log/gitlab/gitlab-shell/gitlab-shell.log
Connect
- unicorn (port 8080)
Limitations
Because the SELinux policy is a static policy, right now we don't support the ability to change internal unicorn ports. Admins would have to create a special .te file for the environment, or we'd have to dynamically generate it for them, which is it a bit tricky if they have changed their port contexts.
Granting http_cache_port_t
permissions also includes access to these ports:
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
Closes #2855 (closed)
Edited by GitLab Release Tools Bot