How can I configure seLinux for GITLAB with external nginx

1
votes

I'm setting up our Gitlab server and it works well when I disabled the seLinux. How to fix the configuration of the seLinux to allow the gitlab work?

Environmnt:

  • CentOS 7.4.1708 and update all packages.
  • Gitlab 10.5.2
  • nginx 1.13.10

I've installed Gitlab and nginx and followed this link to configure to make the Gitlab work with installed nginx:

https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server

When I clicked the link to the Gitlab, I could not reach there and I found error message in /var/log/nginx/error.log:

2018/04/05 11:39:27 [crit] 4092#4092: *3 connect() to unix:/var/opt/gitlab/gitlab-workhorse/socket failed (13: Permission denied) while connecting to upstream, client: xx.xx.xx.xx, server: localhost, request: "POST /gitlab/api/v4/jobs/request HTTP/1.1", upstream: "http://unix:/var/opt/gitlab/gitlab-workhorse/socket:/gitlab/api/v4/jobs/request", host: "xx.xx.xx.xx"

After I changed the seLinux to 'permissive' mode, it worked well as expected. And in the /var/log/audit/audit.log file, I found the message:

type=AVC msg=audit(1522905628.444:872): avc:  denied  { write } for  pid=12407 comm="nginx" name="socket" dev="dm-2" ino=8871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file

Then I tryed to follow the instruction below:

https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache#selinux-modifications

but I cannot see the files/directories in it.

setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_network_relay on
setsebool -P httpd_read_user_content on
semanage -i - <<EOF
fcontext -a -t user_home_dir_t '/home/git(/.*)?'
fcontext -a -t ssh_home_t '/home/git/.ssh(/.*)?'
fcontext -a -t httpd_sys_content_t '/home/git/gitlab/public(/.*)?'
fcontext -a -t httpd_sys_content_t '/home/git/repositories(/.*)?'
EOF
restorecon -R /home/git
  • git user's home directory is /var/opt/gitlab instead of /home/git
  • /var/opt/gitlab directory has no gitlab directori or repositories directory.

How can I configure the seLinux to work with my environment?

2
nginxgitlabselinux

2 Answers

0
votes

I'm currently figuring this out. The documentation is a mix of old and new info and lacks distinction between the standard and "Omnibus" install. The problem is they don't label their socket file properly to allow access by Nginx. I've had success running this after every time I run gitlab-ctl reconfigure:

chcon -t httpd_var_run_t /var/opt/gitlab/gitlab-workhorse/socket

And also don't forget these bits of setup:

usermod -aG git,gitlab-www nginx
chmod g+rx /var/opt/gitlab/
chown git:git /var/opt/gitlab

As well, I couldn't get Nginx to start with the provided config; I had to create a proxy cache directory:

mkdir /usr/share/nginx/proxy_cache
restorecon -vFR /usr/share/nginx
chown nginx /usr/share/nginx/proxy_cache/
0
votes

Just had this issue myself (I'm even also using a CentOS server) and was able to solve it using the command posted by miken32

chcon -t httpd_var_run_t /var/opt/gitlab/gitlab-workhorse/socket

In my case I installed the Omnibus gitlab-ce package using the docs provided by Gitlab

Afterwards I followed the instructions for Using a non-bundled web-server. If you read carefully you'll notice the 5. Download the right web server configs paragraph that contains a link GitLab recipes repository.

Follow this link and you will find the configs for multiple different web server including the ones for nginx. Be careful since within the nginx web server directory you will be redirected to the GitLab official repository again...

Download the required config (with or without SSL etc.) into the /etc/nginx/conf.d/ directory (this is special for at least CentOS). Carefully inspect the downloaded file since you will need to modify it with correct paths for the Omnibus package.

Also don't forget to give nginx access to git group as mentioned in the documentation. I'm not sure if really necessary but my nginx user is also member of the gitlab-www group.

After all this I was still unable to launch the gitlab site. The browser just showed up with the 502 error page.

The /var/log/nginx/gitlab-error.log showed a permission denied error for the workhorse socket which lead me to this page and can be solved (at least in my case) with the command provided by miken32.