Description of problem: After upgrading graphite-web 0.x.x to graphite 1.x.x no monitoring data populated in grafana dashboard. But if I switch SELinux to permissive mode then I can see all monitoring data in grafana dashboard. Version-Release number of selected component (if applicable): How reproducible: 100% with graphite-web 1.x.x Steps to Reproduce: 1. update packages to: graphite-web-1.1.4-1.el7rhgs.noarch.rpm python-cachetools-1.0.3-1.el7.noarch.rpm python-carbon-1.1.4-1.el7rhgs.noarch.rpm python-django-tagging-0.4.6-1.el7rhgs.noarch.rpm python-scandir-1.3-1.el7rhgs.x86_64.rpm python-whisper-1.1.4-1.el7rhgs.noarch.rpm python2-django-1.11.15-1.el7rhgs.noarch.rpm 2. run tendrl-upgrade script to initialize graphite-db 3. reboot the tendrl-server 4. Open grafana dashbaord, it won't show any monitoring data 5. type: setenforce 0 6. then all monitoring-data will present in grafana Actual results: Grafana dashboard not showing any data when SELinux is in enforcing Expected results: grafana should show data when SELinux is in enforcing Additional info:
It failed to show the graphical data due to denied access for the link files by the selinux. The following are the selinux log: type=AVC msg=audit(1544435268.923:7161): avc: denied { read } for pid=5701 comm="httpd" name="7167366d-26be-4bd5-9662-d6e6fc798480" dev="vda1" ino=923681 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:carbon_var_lib_t:s0 tclass=lnk_file permissive=0 Fix patch sent to upstream: https://github.com/Tendrl/tendrl-selinux/pull/11
This change is necessary because of BZ 1658702. It will be tested via regression testing for update and installation scenarios.
Tested on both freshly installed (RHGS WA 3.4.3) and updated (from RHGS WA 3.4.2 to 3.4.3) cluster. Monitoring data are available on the dashboards as expected. No AVC denial message related to httpd is in audit.log # cat /var/log/audit/audit.log | grep AVC | grep httpd # Versions of related packages: carbon-selinux-1.5.4-3.el7rhgs.noarch graphite-web-1.1.4-1.el7rhgs.noarch python2-django-1.11.15-1.1.el7rhgs.noarch python-cachetools-1.0.3-1.1.el7rhgs.noarch python-carbon-1.1.4-1.el7rhgs.noarch python-django-tagging-0.4.6-1.el7rhgs.noarch python-scandir-1.3-1.el7rhgs.x86_64 python-whisper-1.1.4-1.el7rhgs.noarch tendrl-ansible-1.6.3-11.el7rhgs.noarch tendrl-api-1.6.3-8.el7rhgs.noarch tendrl-api-httpd-1.6.3-8.el7rhgs.noarch tendrl-commons-1.6.3-14.el7rhgs.noarch tendrl-grafana-plugins-1.6.3-18.el7rhgs.noarch tendrl-grafana-selinux-1.5.4-3.el7rhgs.noarch tendrl-monitoring-integration-1.6.3-18.el7rhgs.noarch tendrl-node-agent-1.6.3-13.el7rhgs.noarch tendrl-notifier-1.6.3-4.el7rhgs.noarch tendrl-selinux-1.5.4-3.el7rhgs.noarch tendrl-ui-1.6.3-14.el7rhgs.noarch >> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0265