在 Self-Managed GitLab 环境中,在启用了 Fast lookup of authorized SSH keys 的情况下,依然无法使用 SSH 密钥进行推送和拉取代码。
配置密钥也依然无法推送,会继续提示输入密码:
$ git push --set-upstream origin --all
git@git-hk.vvave.net's password:最初是怀疑环境配置错误,在反复检查后并未发现问题,此时想到此环境是使用官方镜像全新安装的 AlmaLinux 9 实例,和云镜像不同的是,SELinux 等并不会被默认关闭。
问题溯源
命令查询 SELinux 状态,结果确实是没有关闭。
$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33那么可以继续查看审查日志 /var/log/audit/audit.log,看看是不是请求被拦截导致的,可以看到大量类似:
type=AVC msg=audit(1745223505.142:944): avc: denied { connectto } for pid=22062 comm="gitlab-shell-au" path="/var/opt/gitlab/gitlab-workhorse/sockets/socket" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(1745223505.142:944): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=c0001fea90 a2=32 a3=0 items=0 ppid=22060 pid=22062 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="gitlab-shell-au" exe="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="git" GID="git" EUID="git" SUID="git" FSUID="git" EGID="git" SGID="git" FSGID="git"
type=PROCTITLE msg=audit(1745223505.142:944): proctitle=2F6F70742F6769746C61622F656D6265646465642F736572766963652F6769746C61622D7368656C6C2F62696E2F6769746C61622D7368656C6C2D617574686F72697A65642D6B6579732D636865636B0067697400676974004141414143334E7A6143316C5A4449314E544535414141414946687049434B3452454556707472
type=AVC msg=audit(1745223507.144:945): avc: denied { connectto } for pid=22062 comm="gitlab-shell-au" path="/var/opt/gitlab/gitlab-workhorse/sockets/socket" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(1745223507.144:945): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=c0000ca690 a2=32 a3=0 items=0 ppid=22060 pid=22062 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="gitlab-shell-au" exe="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="git" GID="git" EUID="git" SUID="git" FSUID="git" EGID="git" SGID="git" FSGID="git"
type=PROCTITLE msg=audit(1745223507.144:945): proctitle=2F6F70742F6769746C61622F656D6265646465642F736572766963652F6769746C61622D7368656C6C2F62696E2F6769746C61622D7368656C6C2D617574686F72697A65642D6B6579732D636865636B0067697400676974004141414143334E7A6143316C5A4449314E544535414141414946687049434B3452454556707472
type=USER_AUTH msg=audit(1745223507.145:946): pid=22060 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="git" exe="/usr/sbin/sshd" hostname=? addr=172.16.16.213 terminal=ssh res=failed'UID="root" AUID="unset"可以看到确实为 SSH 请求被拦截导致的。
解决问题
参考红帽官方文档,可以使用 audit2allow 工具生成自定义 SELinux 规则:
sudo -i
cat /var/log/audit/audit.log | audit2allow -a -M gitlab小贴士:需要注意看到类似下方的提示才可以继续操作
******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i gitlab.pp如果看到类似报错:
compilation failed: gitlab.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration需要在测试环境多推送几次代码,采集一些错误日志,然后使用命令生成规则。
然后应用规则:
semodule -i gitlab.pp附录
参考链接
- Authorized keys database lookup SELinux failure - GitLab.org
- sshd access to git user's authorized_keys file blocked by selinux on CentOS Stream 8 - GitLab.org
本文由 柒 创作,采用 知识共享署名4.0
国际许可协议进行许可。
转载本站文章前请注明出处,文章作者保留所有权限。
最后编辑时间: 2025-04-21 16:36 PM