Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-120426

Grafana prevents plugins from searching cgroups

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.7
    • grafana
    • Yes
    • Low
    • rhel-pt-pcp
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The problem does not seem to be severe, because the service starts and run successfully with the default configuration. However, SELinux denials appear every time the test is executed.

      Reproducer:

      # grafana cli plugins install grafana-mqtt-datasource
# systemctl restart grafana-server
# curl -f -s 'http://admin:admin@localhost:3000/api/plugins' | jq -r '.[].id' | grep -w 'grafana-mqtt-datasource'
# audit2allow -a
# ausearch -m AVC

      Output of the "audit2allow -a":

      #============= grafana_t ==============
allow grafana_t cgroup_t:dir search;
allow grafana_t cgroup_t:file { open read };

      Output of the "ausearch -m AVC":

      ----
time->Fri Oct 10 00:26:20 2025
type=PROCTITLE msg=audit(1760070380.631:717): proctitle="/var/lib/grafana/plugins/grafana-mqtt-datasource/gpx_mqtt_linux_amd64"
type=SYSCALL msg=audit(1760070380.631:717): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=1ced6a0 a2=80000 a3=0 items=0 ppid=13843 pid=13860 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="gpx_mqtt_linux_" exe="/var/lib/grafana/plugins/grafana-mqtt-datasource/gpx_mqtt_linux_amd64" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1760070380.631:717): avc:  denied  { search } for  pid=13860 comm="gpx_mqtt_linux_" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Fri Oct 10 00:50:19 2025
type=PROCTITLE msg=audit(1760071819.094:1484): proctitle="/var/lib/grafana/plugins/grafana-mqtt-datasource/gpx_mqtt_linux_amd64"
type=SYSCALL msg=audit(1760071819.094:1484): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=1ced6a0 a2=80000 a3=0 items=0 ppid=23247 pid=23258 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="gpx_mqtt_linux_" exe="/var/lib/grafana/plugins/grafana-mqtt-datasource/gpx_mqtt_linux_amd64" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1760071819.094:1484): avc:  denied  { open } for  pid=23258 comm="gpx_mqtt_linux_" path="/sys/fs/cgroup/system.slice/grafana-server.service/cpu.max" dev="cgroup2" ino=5675 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1760071819.094:1484): avc:  denied  { read } for  pid=23258 comm="gpx_mqtt_linux_" name="cpu.max" dev="cgroup2" ino=5675 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1

              pcp-maint pcp-maint
              jkurik@redhat.com Jan Kurik
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: