GitLab

Created by: bcc

Running the 7.9.1 omnibus packages on CentOS 7 with selinux enabled, we get nightly emails from the system logrotate complaining about /var/lib/logrotate.status:

/etc/cron.daily/logrotate:
error: error stat()ing state file /var/lib/logrotate.status: Permission denied

It looks like the embedded logrotate is also configured to update this file, and when it does so, it is resetting the selinux context from system_u:object_r:logrotate_var_lib_t:s0 to system_u:object_r:init_var_lib_t:s0.

Restorecon fixes it for a while, but it does get reset.

# restorecon -v /var/lib/logrotate.status 
restorecon reset /var/lib/logrotate.status context system_u:object_r:init_var_lib_t:s0->system_u:object_r:logrotate_var_lib_t:s0

And I'm pretty sure that the embedded logrotate is the cause:

root@git:/opt/gitlab/embedded/sbin# strings logrotate |grep logrotate.status
/var/lib/logrotate.status

Setup details: System information System:
Current User: git Using RVM: no Ruby Version: 2.1.5p273 Gem Version: 2.2.1 Bundler Version:1.5.3 Rake Version: 10.4.2 Sidekiq Version:3.3.0

GitLab information Version: 7.9.1 Revision: 6f6c5f18 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://redacted.internal HTTP Clone URL: https://redacted.internal/some-project.git SSH Clone URL: [email protected]:some-project.git Using LDAP: no Using Omniauth: no

GitLab Shell Version: 2.6.0 Repositories: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/ Git: /opt/gitlab/embedded/bin/git