Bug 2196845

Summary: grafana-server service runs as unconfined_service_t [rhel-8]
Product: Red Hat Enterprise Linux 8 Reporter: Jan Kurik <jkurik>
Component: grafanaAssignee: sfeifer
Status: ASSIGNED --- QA Contact: Jan Kurik <jkurik>
Severity: unspecified Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: unspecified    
Version: 8.8CC: jkurik, markobri, nathans, scox
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Kurik 2023-05-10 13:12:00 UTC 
Description of problem:
grafana-server service runs as unconfined_service_t, which violates STIG, as STIG CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.

Version-Release number of selected component (if applicable):
grafana-7.5.15-4.el8

How reproducible:
Always

Steps to Reproduce:
1. Install grafana and start grafana-server service
# yum install -y grafana
# systemctl start grafana-server
2. Check if the grafana process runs as unconfined service type
# ps -efZ | grep grafana-server

Actual results:
Grafana runs as unconfined service type:

# ps -efZ | grep grafana-server
system_u:system_r:unconfined_service_t:s0 grafana 40052 1  4 08:59 ?       00:00:00 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning


Expected results:
Grafana does not run as unconfined service type

Additional info:
https://access.redhat.com/articles/2918071
Comment 1 Nathan Scott 2023-07-13 23:56:53 UTC 
No response to my request for assistance from our selinux folk so far,
however I did come across this policy which provides a starting point:

https://github.com/georou/grafana-selinux
https://github.com/grafana/grafana/issues/17138