Loading...

XML

Word

Printable

Type: Story
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.2.0
Component/s: grafana
Labels:

Fixed in Build:
grafana-9.2.10-12.el9

Pool Team:

rhel-sst-pt-pcp
Sub-System Group:

ssg_platform_tools

Dev Target Milestone:
10
Internal Target Milestone:
14
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Preliminary Testing:
Pass
Test Link:
https://src.fedoraproject.org/tests/grafana/blob/main/f/Sanity/selinux-unconfined
Testable Builds:
grafana-9.2.10-10.el9
Errata Link:
https://errata.devel.redhat.com/advisory/124264
Test Coverage:
None

Release Note Type:
Enhancement
Release Note Text:

Hide
.A new `grafana-selinux` package

Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.

Show
.A new `grafana-selinux` package Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
Release Note Status:
Done

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2196847

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.

Version-Release number of selected component (if applicable):
grafana-9.0.9-2.el9

How reproducible:
Always

Steps to Reproduce:
1. Install grafana and start grafana-server service

yum install -y grafana
systemctl start grafana-server
2. Check if the grafana process runs as unconfined service type
ps -efZ | grep grafana-server

Actual results:
Grafana runs as unconfined service type:

ps -efZ | grep grafana-server
system_u:system_r:unconfined_service_t:s0 grafana 40052 1 4 08:59 ? 00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

Expected results:
Grafana does not run as unconfined service type

Additional info:
https://access.redhat.com/articles/2918071

external trackers

CEE GitLab toolchain-qe/tests/grafana/-/tree/master/Sanity/selinux-unconfined

Red Hat Issue Tracker RHELPLAN-156890

links to

RHBA-2023:124264 grafana bug fix and enhancement update

Test Requirement (BASEOS-18441)

Assignee:: Sam Feifer

Reporter:: Jan Kurik

Developer:: Sam Feifer

QA Contact:: Jan Kurik

Doc Contact:: Jacob Valdez (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2023/09/22 5:39 PM

Updated:: 2024/04/30 9:48 AM

Resolved:: 2024/04/30 9:48 AM

Target end:: 2023/12/04

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates