Bug 2302128

Summary: grafana-server runs a unconfined service type
Product: [Fedora] Fedora Reporter: Jan Kurik <jkurik>
Component: grafanaAssignee: sfeifer
Status: VERIFIED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: agerstmayr, go-sig, jkurik, lchilton, nathans, scox, sfeifer
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Kurik 2024-07-31 18:35:47 UTC 
Since grafana-10.2.6-4.fc41 build, the grafana-server service runs as unconfined type. This is a regression from the previous build. This issue does not appear on grafana-10.2.6-4.fc40 (and F40) build.

Reproducible: Always

Steps to Reproduce:
1. Install grafana-10.2.6-4.fc41 on rawhide
2. Start the grafana-server service
# systemctl start grafana-server
3. Check if the service is unconfined
# ps -efZ | grep grafana-server
Actual Results:  
system_u:system_r:unconfined_service_t:s0 grafana 1886 1  0 14:18 ?        00:00:01 /usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1942 1570  0 14:30 pts/0 00:00:00 grep --color=auto grafana-server


Expected Results:  
system_u:system_r:grafana_t:s0  grafana     1704       1 14 14:34 ?        00:00:00 /usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1729 1534  0 14:35 pts/0 00:00:00 grep --color=auto grafana-server
Comment 1 Jan Kurik 2024-08-01 12:26:54 UTC 
After some discussion with selinux maintainers I was pointed to this Change: https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin which is causing the issue.

As such, we need to extend the grafana selinux policy with the following records:

/usr/bin/grafana-cli --	gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
Comment 2 Jan Kurik 2024-08-01 12:55:09 UTC 
Actually we need also a record for /usr/bin/grafana. So the complete list of rules will look like this:

/usr/bin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana -- gen_context(system_u:object_r:grafana_exec_t,s0)


As a workaround, before the policy is extended, this works for me:

cat << EOF > grafana_tmp.cil
(filecon "/usr/bin/grafana-cli" file (system_u object_r grafana_exec_t ((s0) (s0))))
(filecon "/usr/bin/grafana-server" file (system_u object_r grafana_exec_t ((s0) (s0))))
(filecon "/usr/bin/grafana" file (system_u object_r grafana_exec_t ((s0) (s0))))
EOF

sudo semodule -i grafana_tmp.cil
Comment 3 Jan Kurik 2024-08-01 18:14:03 UTC 
Fixed in grafana-10.2.6-5.fc41 build.
Comment 4 Aoife Moloney 2025-02-26 13:10:34 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.