-
Story
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.2.0
-
grafana-9.2.10-12.el9
-
None
-
rhel-sst-pt-pcp
-
ssg_platform_tools
-
10
-
14
-
None
-
QE ack
-
False
-
-
Yes
-
None
-
Pass
-
grafana-9.2.10-10.el9
-
None
-
Enhancement
-
-
Done
-
-
Unspecified
-
None
Description of problem:
grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.
Version-Release number of selected component (if applicable):
grafana-9.0.9-2.el9
How reproducible:
Always
Steps to Reproduce:
1. Install grafana and start grafana-server service
- yum install -y grafana
- systemctl start grafana-server
2. Check if the grafana process runs as unconfined service type - ps -efZ | grep grafana-server
Actual results:
Grafana runs as unconfined service type:
- ps -efZ | grep grafana-server
system_u:system_r:unconfined_service_t:s0 grafana 40052 1 4 08:59 ? 00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
Expected results:
Grafana does not run as unconfined service type
Additional info:
https://access.redhat.com/articles/2918071
- external trackers
- links to
-
RHBA-2023:124264 grafana bug fix and enhancement update