Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7505

grafana-server service runs as unconfined_service_t [rhel-9]

XMLWordPrintable

    • grafana-9.2.10-12.el9
    • sst_pt_pcp
    • ssg_platform_tools
    • 10
    • 14
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Enhancement
    • Hide
      .A new `grafana-selinux` package

      Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
      Show
      .A new `grafana-selinux` package Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
    • Done
    • None

      Description of problem:
      grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.

      Version-Release number of selected component (if applicable):
      grafana-9.0.9-2.el9

      How reproducible:
      Always

      Steps to Reproduce:
      1. Install grafana and start grafana-server service

      1. yum install -y grafana
      2. systemctl start grafana-server
        2. Check if the grafana process runs as unconfined service type
      3. ps -efZ | grep grafana-server

      Actual results:
      Grafana runs as unconfined service type:

      1. ps -efZ | grep grafana-server
        system_u:system_r:unconfined_service_t:s0 grafana 40052 1 4 08:59 ? 00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

      Expected results:
      Grafana does not run as unconfined service type

      Additional info:
      https://access.redhat.com/articles/2918071

            rh-ee-sfeifer Sam Feifer
            jkurik@redhat.com Jan Kurik
            Sam Feifer Sam Feifer
            Jan Kurik Jan Kurik
            Jacob Valdez Jacob Valdez
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: