[RHEL-7505] grafana-server service runs as unconfined_service_t [rhel-9]

Type: Story
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.2.0
Component/s: grafana
Labels:

Fixed in Build:
grafana-9.2.10-12.el9
Severity:
None

Pool Team:

rhel-sst-pt-pcp
Sub-System Group:

ssg_platform_tools

Dev Target Milestone:
10
Internal Target Milestone:
14
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Preliminary Testing:
Pass
Testable Builds:
grafana-9.2.10-10.el9
Errata Link:
https://errata.devel.redhat.com/advisory/124264
Test Coverage:
None

Release Note Type:
Enhancement
Release Note Text:

Hide
.A new `grafana-selinux` package

Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.

Show
.A new `grafana-selinux` package Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
Release Note Status:
Done

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2196847

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.

Version-Release number of selected component (if applicable):
grafana-9.0.9-2.el9

How reproducible:
Always

Steps to Reproduce:
1. Install grafana and start grafana-server service

yum install -y grafana
systemctl start grafana-server
2. Check if the grafana process runs as unconfined service type
ps -efZ | grep grafana-server

Actual results:
Grafana runs as unconfined service type:

ps -efZ | grep grafana-server
system_u:system_r:unconfined_service_t:s0 grafana 40052 1 4 08:59 ? 00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

Expected results:
Grafana does not run as unconfined service type

Additional info:
https://access.redhat.com/articles/2918071

external trackers

CEE GitLab toolchain-qe/tests/grafana/-/tree/master/Sanity/selinux-unconfined

Red Hat Issue Tracker RHELPLAN-156890

links to

RHBA-2023:124264 grafana bug fix and enhancement update

Test Requirement (BASEOS-18441)

Errata Tool added a comment - 2024/04/30 9:48 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (grafana bug fix and enhancement update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:2205

Errata Tool added a comment - 2024/04/30 9:48 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (grafana bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:2205

Gabriela Fialova added a comment - 2024/01/19 11:57 AM

This enhancement has been added into the tickets.yaml file for the RHEL 9.4 Beta release notes.

Gabriela Fialova added a comment - 2024/01/19 11:57 AM This enhancement has been added into the tickets.yaml file for the RHEL 9.4 Beta release notes.

Jan Kurik added a comment - 2023/11/30 8:34 AM - edited

The issue with the grafana-selinux package being masked has been solved and the package is now present in the RHEL-9.4.0-20231130.15 compose.

However during regression testing with this compose, I am facing a new AVC, not seeing before. For some unknown reason this is again reproducible on s390x and ppc64le architectures only:

# audit2allow -a
#============= grafana_t ==============
allow grafana_t self:netlink_route_socket { bind getattr nlmsg_read };

# ausearch -m AVC
----
type=PROCTITLE msg=audit(1701333908.654:2980): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1701333908.654:2980): arch=80000016 syscall=102 success=yes exit=0 a0=2 a1=3ff327fb268 a2=c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2980): avc:  denied  { bind } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE msg=audit(1701333908.654:2981): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SOCKADDR msg=audit(1701333908.654:2981): saddr=001000000001F67A00000000
type=SYSCALL msg=audit(1701333908.654:2981): arch=80000016 syscall=102 success=yes exit=0 a0=6 a1=3ff327fb280 a2=3ff327fb39c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2981): avc:  denied  { getattr } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE msg=audit(1701333908.654:2982): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1701333908.654:2982): arch=80000016 syscall=102 success=yes exit=20 a0=b a1=3ff327fa268 a2=3ff327fc840 a3=0 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2982): avc:  denied  { nlmsg_read } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1

The AVC record pops up when a grafana user uses email address as username.

Jan Kurik added a comment - 2023/11/30 8:34 AM - edited The issue with the grafana-selinux package being masked has been solved and the package is now present in the RHEL-9.4.0-20231130.15 compose. However during regression testing with this compose, I am facing a new AVC, not seeing before. For some unknown reason this is again reproducible on s390x and ppc64le architectures only: # audit2allow -a #============= grafana_t ============== allow grafana_t self:netlink_route_socket { bind getattr nlmsg_read }; # ausearch -m AVC ---- type=PROCTITLE msg=audit(1701333908.654:2980): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1701333908.654:2980): arch=80000016 syscall=102 success=yes exit=0 a0=2 a1=3ff327fb268 a2=c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2980): avc: denied { bind } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE msg=audit(1701333908.654:2981): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SOCKADDR msg=audit(1701333908.654:2981): saddr=001000000001F67A00000000 type=SYSCALL msg=audit(1701333908.654:2981): arch=80000016 syscall=102 success=yes exit=0 a0=6 a1=3ff327fb280 a2=3ff327fb39c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2981): avc: denied { getattr } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE msg=audit(1701333908.654:2982): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1701333908.654:2982): arch=80000016 syscall=102 success=yes exit=20 a0=b a1=3ff327fa268 a2=3ff327fc840 a3=0 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2982): avc: denied { nlmsg_read } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 The AVC record pops up when a grafana user uses email address as username.

Jan Kurik added a comment - 2023/11/24 12:20 PM

Postponing ITM as the testing is currently blocked by ENGCMP-3571.

Jan Kurik added a comment - 2023/11/24 12:20 PM Postponing ITM as the testing is currently blocked by ENGCMP-3571.

Jan Kurik added a comment - 2023/11/20 2:30 PM

Hi rh-ee-sfeifer ,

for some reason on s390x and ppc64le architectures I am getting the following AVC when I am trying to authenticate non-existing user via API:

# audit2allow -a
 #============= grafana_t ==============
allow grafana_t self:netlink_route_socket create;

# ausearch -m AVC
----
type=PROCTITLE msg=audit(1700489411.120:2927): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1700489411.120:2927): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ff5be9e280 a2=0 a3=3ff5be9e5f8 items=0 ppid=1 pid=126759 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1700489411.120:2927): avc:  denied  { create } for  pid=126759 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=0

This is not reproducible on aarch64 or x86_64 architectures. It is not clear to me why it behaves differently for different arches.

Jan Kurik added a comment - 2023/11/20 2:30 PM Hi rh-ee-sfeifer , for some reason on s390x and ppc64le architectures I am getting the following AVC when I am trying to authenticate non-existing user via API: # audit2allow -a #============= grafana_t ============== allow grafana_t self:netlink_route_socket create; # ausearch -m AVC ---- type=PROCTITLE msg=audit(1700489411.120:2927): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1700489411.120:2927): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ff5be9e280 a2=0 a3=3ff5be9e5f8 items=0 ppid=1 pid=126759 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1700489411.120:2927): avc: denied { create } for pid=126759 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=0 This is not reproducible on aarch64 or x86_64 architectures. It is not clear to me why it behaves differently for different arches.

pm-rhel added a comment - 2023/09/22 5:40 PM

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

pm-rhel added a comment - 2023/09/22 5:40 PM Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/04/30 9:48 AM

Expand comment: Errata Tool added a comment - 2024/04/30 9:48 AM

Collapse comment: Gabriela Fialova added a comment - 2024/01/19 11:57 AM

Expand comment: Gabriela Fialova added a comment - 2024/01/19 11:57 AM

Collapse comment: Jan Kurik added a comment - 2023/11/30 8:34 AM, Edited by Jan Kurik - 2023/11/30 8:51 AM

Expand comment: Jan Kurik added a comment - 2023/11/30 8:34 AM, Edited by Jan Kurik - 2023/11/30 8:51 AM

Collapse comment: Jan Kurik added a comment - 2023/11/24 12:20 PM

Expand comment: Jan Kurik added a comment - 2023/11/24 12:20 PM

Collapse comment: Jan Kurik added a comment - 2023/11/20 2:30 PM

Expand comment: Jan Kurik added a comment - 2023/11/20 2:30 PM

Collapse comment: pm-rhel added a comment - 2023/09/22 5:40 PM

Expand comment: pm-rhel added a comment - 2023/09/22 5:40 PM

People

Dates