Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7505

grafana-server service runs as unconfined_service_t [rhel-9]

XMLWordPrintable

    • grafana-9.2.10-12.el9
    • None
    • rhel-sst-pt-pcp
    • ssg_platform_tools
    • 10
    • 14
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .A new `grafana-selinux` package

      Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
      Show
      .A new `grafana-selinux` package Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
    • Done
    • None

      Description of problem:
      grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.

      Version-Release number of selected component (if applicable):
      grafana-9.0.9-2.el9

      How reproducible:
      Always

      Steps to Reproduce:
      1. Install grafana and start grafana-server service

      1. yum install -y grafana
      2. systemctl start grafana-server
        2. Check if the grafana process runs as unconfined service type
      3. ps -efZ | grep grafana-server

      Actual results:
      Grafana runs as unconfined service type:

      1. ps -efZ | grep grafana-server
        system_u:system_r:unconfined_service_t:s0 grafana 40052 1 4 08:59 ? 00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

      Expected results:
      Grafana does not run as unconfined service type

      Additional info:
      https://access.redhat.com/articles/2918071

            [RHEL-7505] grafana-server service runs as unconfined_service_t [rhel-9]

            Errata Tool made changes -
            Resolution New: Done-Errata [ 10803 ]
            Status Original: Release Pending [ 15735 ] New: Closed [ 6 ]

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (grafana bug fix and enhancement update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHBA-2024:2205

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (grafana bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:2205
            Errata Tool made changes -
            Release Date New: 2024/04/30
            Jacob Valdez (Inactive) made changes -
            Release Note Status Original: In Progress [ 30960 ] New: Done [ 30963 ]
            Jacob Valdez (Inactive) made changes -
            Release Note Text Original: Feature, enhancement (describe the feature or enhancement from the userโ€™s point of view):
            A selinux policy for grafana has been introduced that installs when grafana is installed.

            Reason (why has the feature or enhancement been implemented):
            A selinux policy enhances security.

            Result (what is the current user experience):
            Prior to introducing this selinux policy, grafana-server runs as "unconfined_service_t". With the policy, grafana-server runs as grafana_t.
            		New: .A new `grafana-selinux` package

            Previously, the default installation of `grafana-server` ran as an `unconfined_service_t` SELinux type. This update adds the new `grafana-selinux` package, which contains an SELinux policy for `grafana-server` and which is installed by default with `grafana-server`. As a result, `grafana-server` now runs as `grafana_t` SELinux type.
            pme bot made changes -
            Reset contact to default Original: Watchers [ 32055 ]
            Gabriela Fialova made changes -
            Release Note Status New: In Progress [ 30960 ]

            Gabriela Fialova added a comment -

            This enhancement has been added into the tickets.yaml file for the RHEL 9.4 Beta release notes. 

            Gabriela Fialova added a comment - This enhancement has been added into the tickets.yaml file for the RHEL 9.4 Beta release notes. 
            Rui Ormonde made changes -
            Product Documentation Required New: Yes [ 36650 ]
            Sam Feifer made changes -
            Release Note Text Original: Feature, enhancement (describe the feature or enhancement from the userโ€™s point of view):
            Reason (why has the feature or enhancement been implemented):
            Result (what is the current user experience):
            		New: Feature, enhancement (describe the feature or enhancement from the userโ€™s point of view):
            A selinux policy for grafana has been introduced that installs when grafana is installed.

            Reason (why has the feature or enhancement been implemented):
            A selinux policy enhances security.

            Result (what is the current user experience):
            Prior to introducing this selinux policy, grafana-server runs as "unconfined_service_t". With the policy, grafana-server runs as grafana_t.
            Jacob Valdez (Inactive) made changes -
            Release Note Text New: Feature, enhancement (describe the feature or enhancement from the userโ€™s point of view):
            Reason (why has the feature or enhancement been implemented):
            Result (what is the current user experience):
            Jacob Valdez (Inactive) made changes -
            Docs Impact Original: Unspecified [ 30765 ] New: RN only [ 30768 ]
            Jan Kurik made changes -
            Status Original: Integration [ 18721 ] New: Release Pending [ 15735 ]
            OSCI Bot made changes -
            Fixed in Build Original: grafana-9.2.10-11.el9 New: grafana-9.2.10-12.el9

            Jan Kurik added a comment - - edited

            The issue with the grafana-selinux package being masked has been solved and the package is now present in the  RHEL-9.4.0-20231130.15 compose.

            However during regression testing with this compose, I am facing a new AVC, not seeing before. For some unknown reason this is again reproducible on s390x and ppc64le architectures only:

            # audit2allow -a
#============= grafana_t ==============
allow grafana_t self:netlink_route_socket { bind getattr nlmsg_read };

            # ausearch -m AVC
----
type=PROCTITLE msg=audit(1701333908.654:2980): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1701333908.654:2980): arch=80000016 syscall=102 success=yes exit=0 a0=2 a1=3ff327fb268 a2=c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2980): avc:  denied  { bind } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE msg=audit(1701333908.654:2981): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SOCKADDR msg=audit(1701333908.654:2981): saddr=001000000001F67A00000000
type=SYSCALL msg=audit(1701333908.654:2981): arch=80000016 syscall=102 success=yes exit=0 a0=6 a1=3ff327fb280 a2=3ff327fb39c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2981): avc:  denied  { getattr } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE msg=audit(1701333908.654:2982): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1701333908.654:2982): arch=80000016 syscall=102 success=yes exit=20 a0=b a1=3ff327fa268 a2=3ff327fc840 a3=0 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1701333908.654:2982): avc:  denied  { nlmsg_read } for  pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1

            The AVC record pops up when a grafana user uses email address as username.

            Jan Kurik added a comment - - edited The issue with the grafana-selinux package being masked has been solved and the package is now present in the   RHEL-9.4.0-20231130.15 compose. However during regression testing with this compose, I am facing a new AVC, not seeing before. For some unknown reason this is again reproducible on s390x and ppc64le architectures only: # audit2allow -a #============= grafana_t ============== allow grafana_t self:netlink_route_socket { bind getattr nlmsg_read }; # ausearch -m AVC ---- type=PROCTITLE msg=audit(1701333908.654:2980): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1701333908.654:2980): arch=80000016 syscall=102 success=yes exit=0 a0=2 a1=3ff327fb268 a2=c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2980): avc: denied { bind } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE msg=audit(1701333908.654:2981): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SOCKADDR msg=audit(1701333908.654:2981): saddr=001000000001F67A00000000 type=SYSCALL msg=audit(1701333908.654:2981): arch=80000016 syscall=102 success=yes exit=0 a0=6 a1=3ff327fb280 a2=3ff327fb39c a3=3ff327fb5f8 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2981): avc: denied { getattr } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE msg=audit(1701333908.654:2982): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1701333908.654:2982): arch=80000016 syscall=102 success=yes exit=20 a0=b a1=3ff327fa268 a2=3ff327fc840 a3=0 items=0 ppid=1 pid=128634 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1701333908.654:2982): avc: denied { nlmsg_read } for pid=128634 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=1 The AVC record pops up when a grafana user uses email address as username.

            Jan Kurik added a comment -

            Postponing ITM as the testing is currently blocked by ENGCMP-3571.

            Jan Kurik added a comment - Postponing ITM as the testing is currently blocked by ENGCMP-3571.
            Watson Automation made changes -
            Target end Original: 2023/11/27 New: 2023/12/04
            pme bot made changes -
            Link New: This issue is related to ATTACH-9735 [ ATTACH-9735 ]
            Jan Kurik made changes -
            Internal Target Milestone Original: 13 [ 27962 ] New: 14 [ 27963 ]
            Jan Kurik made changes -
            Link New: This issue is blocked by ENGCMP-3571 [ ENGCMP-3571 ]
            OSCI Bot made changes -
            Fixed in Build Original: grafana-9.2.10-10.el9 New: grafana-9.2.10-11.el9

            Jan Kurik added a comment -

            Hi rh-ee-sfeifer ,

            for some reason on s390x and ppc64le architectures I am getting the following AVC when I am trying to authenticate non-existing user via API:

            # audit2allow -a
 #============= grafana_t ==============
allow grafana_t self:netlink_route_socket create;

            # ausearch -m AVC
----
type=PROCTITLE msg=audit(1700489411.120:2927): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566
type=SYSCALL msg=audit(1700489411.120:2927): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ff5be9e280 a2=0 a3=3ff5be9e5f8 items=0 ppid=1 pid=126759 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null)
type=AVC msg=audit(1700489411.120:2927): avc:  denied  { create } for  pid=126759 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=0

            This is not reproducible on aarch64 or x86_64 architectures. It is not clear to me why it behaves differently for different arches.

            Jan Kurik added a comment - Hi rh-ee-sfeifer , for some reason on s390x and ppc64le architectures I am getting the following AVC when I am trying to authenticate non-existing user via API: # audit2allow -a  #============= grafana_t ============== allow grafana_t self:netlink_route_socket create; # ausearch -m AVC ---- type=PROCTITLE msg=audit(1700489411.120:2927): proctitle=2F7573722F7362696E2F67726166616E612D736572766572002D2D636F6E6669673D2F6574632F67726166616E612F67726166616E612E696E69002D2D70696466696C653D2F7661722F72756E2F67726166616E612F67726166616E612D7365727665722E706964002D2D7061636B6167696E673D72706D006366673A646566 type=SYSCALL msg=audit(1700489411.120:2927): arch=80000016 syscall=102 success=no exit=-13 a0=1 a1=3ff5be9e280 a2=0 a3=3ff5be9e5f8 items=0 ppid=1 pid=126759 auid=4294967295 uid=988 gid=988 euid=988 suid=988 fsuid=988 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="grafana-server" exe="/usr/sbin/grafana-server" subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(1700489411.120:2927): avc: denied { create } for pid=126759 comm="grafana-server" scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:system_r:grafana_t:s0 tclass=netlink_route_socket permissive=0 This is not reproducible on aarch64 or x86_64 architectures. It is not clear to me why it behaves differently for different arches.
            RHEL Jira bot made changes -
            Status Original: In Progress [ 10018 ] New: Integration [ 18721 ]
            Errata Tool made changes -
            Remote Link New: This issue links to "RHBA-2023:124264 (Web Link)" [ 1479366 ]
            Errata Tool made changes -
            Errata Link New: https://errata.devel.redhat.com/advisory/124264
            Jan Kurik made changes -
            Preliminary Testing Original: Requested [ 34176 ] New: Pass [ 34174 ]
            RHEL Jira bot made changes -
            Preliminary Testing Original: Pass [ 34174 ] New: Requested [ 34176 ]
            Jan Kurik made changes -
            Testable Builds New: grafana-9.2.10-10.el9
            Jan Kurik made changes -
            Preliminary Testing New: Pass [ 34174 ]
            OSCI Bot made changes -
            Fixed in Build New: grafana-9.2.10-10.el9
            sync bot made changes -
            Remote Link New: This issue links to "Test Requirement (BASEOS-18441) (Web Link)" [ 1474640 ]
            Sam Feifer made changes -
            Status Original: Planning [ 13521 ] New: In Progress [ 10018 ]
            Jan Kurik made changes -
            ACKs Check New: QE ack [ 31163 ]
            RHEL Jira bot made changes -
            Developer New: Sam Feifer [ JIRAUSER215268 ]
            Watson Automation made changes -
            Target end New: 2023/11/27
            Jan Kurik made changes -
            Internal Target Milestone New: 13 [ 27962 ]
            RHEL Jira bot made changes -
            Internal Target Milestone numeric Original: 42 New: 57005
            RH Bugzilla Integration made changes -
            Internal Target Milestone numeric New: 42

            pm-rhel added a comment -

            Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

            pm-rhel added a comment - Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
            RHEL Jira bot made changes -
            Sub-System Group New: ssg_platform_tools [ 27796 ]
            RHEL Jira bot made changes -
            Reset contact to default Original: Assignee,Qa Contact,Doc Contact,Pool Team,Watchers,Developer [ 32051, 32052, 32053, 32054, 32055, 32850 ] New: Watchers [ 32055 ]
            RH Bugzilla Integration created issue -
            RH Bugzilla Integration made changes -
            Dev Target Milestone New: 10 [ 16975 ]
            Fix Version/s New: rhel-9.4.0 [ 12407281 ]
            Release Note Type Original: If docs needed, set a value [ 31859 ] New: Enhancement [ 30953 ]
            Assignee Original: grafana-maint [ grafana-maint ] New: Sam Feifer [ rh-ee-sfeifer ]
            Issue Type Original: Bug [ 1 ] New: Story [ 17 ]
            Labels Original: Unset New: FutureFeature MigratedToJIRA Triaged
            Status Original: New [ 10016 ] New: Planning [ 13521 ]
            RHEL Jira bot made changes -
            Component/s Original: grafana [ 12381197 ]
            RH Bugzilla Integration made changes -
            Remote Link New: This issue links to "Red Hat Issue Tracker RHELPLAN-156890 (Web Link)" [ 1404650 ]
            RH Bugzilla Integration made changes -
            Remote Link New: This issue links to "CEE GitLab toolchain-qe/tests/grafana/-/tree/master/Sanity/selinux-unconfined (Web Link)" [ 1404651 ]
            RH Bugzilla Integration made changes -
            Issue Type Original: Bug [ 1 ] New: Story [ 17 ]
            Labels Original: Unset New: FutureFeature MigratedToJIRA Triaged
            RHEL Jira bot made changes -
            Component/s New: grafana [ 12381197 ]

              rh-ee-sfeifer Sam Feifer
              jkurik@redhat.com Jan Kurik
              Sam Feifer Sam Feifer
              Jan Kurik Jan Kurik
              Jacob Valdez Jacob Valdez (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: