Re: SELinux setup

Sat, 14 Feb 2015 02:55:57 -0800 

On 14/02/2015 04:19 πμ, Casper Færgemand wrote:
> I have Omnibus Gitlab running with the default Nginx disabled on a
> Centos 6.5 x64 machine. My other Nginx logs the following error:
> 
> 2015/02/14 02:01:36 [crit] 3669#0: *155 connect() to
> unix:/var/opt/gitlab/gitlab-rails/tmp/sockets/gitlab.socket failed (13:
> Permission denied) while connecting to upstream, client: 10.215.76.40,
> server: gitlab.domain.net, request: "GET / HTTP/1.1", upstream:
> "http://unix:/var/opt/gitlab/gitlab-rails/tmp/sockets/gitlab.socket:/";,
> host: "gitlab.domain.net"
> 
> "ls -la /var/opt/gitlab/gitlab-rails/tmp/sockets/" gives me:
> 
> "total 8
> drwx------. 2 git root 4096 Dec  5 15:51 .
> drwx------. 4 git root 4096 Dec  5 12:14 ..
> srwxrwxrwx. 1 git git     0 Dec  5 15:51 gitlab.socket"
> 
> "groups nginx" returns "nginx : nginx gitlab-www".
> 
> /etc/gitlab/gitlab.rb contains
> 
> "external_url 'https://gitlab.domain.net'
> redis['port'] = 1234
> postgresql['port'] = 5432
> nginx['enable'] = false
> web_server['external_users'] = ['gitlab-www']"
> 
> On loading gitlab in a browser, I get a "502, Gitlab is not responding."
> as well as a error in the log as listed above.
> 
> The guide
> https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#using-a-non-bundled-web-server
> refers to another guide here
> https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#using-a-non-bundled-web-server
>  which seems outdated. Any help as to what I should change to make
> SELinux accept Nginx reading the Gitlab socket? I do not what to turn
> off the firewall.

I had the same trouble almost 2 years ago and I had written a small
guide on making a SELinux policy for nginx [0].

Bottom line is:

yum install -y policycoreutils-{python,devel}
grep nginx /var/log/audit/audit.log | audit2allow -M gitlab_nginx
semodule -i gitlab_nginx.pp
usermod -a -G git nginx


[0]
http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/


-- 
GPG : 0x3A7DDABC985EDC6E
Blog: http://axilleas.me

-- 
You received this message because you are subscribed to the Google Groups 
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/gitlabhq/54DF297F.3080107%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to