2302128 – grafana-server runs a unconfined service type

Bug 2302128 - grafana-server runs a unconfined service type

Summary: grafana-server runs a unconfined service type

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	grafana
Sub Component:
Version:	42
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	sfeifer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-31 18:35 UTC by Jan Kurik
Modified:	2025-02-26 13:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Kurik 2024-07-31 18:35:47 UTC

Since grafana-10.2.6-4.fc41 build, the grafana-server service runs as unconfined type. This is a regression from the previous build. This issue does not appear on grafana-10.2.6-4.fc40 (and F40) build.

Reproducible: Always

Steps to Reproduce:
1. Install grafana-10.2.6-4.fc41 on rawhide
2. Start the grafana-server service
# systemctl start grafana-server
3. Check if the service is unconfined
# ps -efZ | grep grafana-server
Actual Results:  
system_u:system_r:unconfined_service_t:s0 grafana 1886 1  0 14:18 ?        00:00:01 /usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1942 1570  0 14:30 pts/0 00:00:00 grep --color=auto grafana-server


Expected Results:  
system_u:system_r:grafana_t:s0  grafana     1704       1 14 14:34 ?        00:00:00 /usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1729 1534  0 14:35 pts/0 00:00:00 grep --color=auto grafana-server

Comment 1 Jan Kurik 2024-08-01 12:26:54 UTC

After some discussion with selinux maintainers I was pointed to this Change: https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin which is causing the issue.

As such, we need to extend the grafana selinux policy with the following records:

/usr/bin/grafana-cli --	gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)

Comment 2 Jan Kurik 2024-08-01 12:55:09 UTC

Actually we need also a record for /usr/bin/grafana. So the complete list of rules will look like this:

/usr/bin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
/usr/bin/grafana -- gen_context(system_u:object_r:grafana_exec_t,s0)


As a workaround, before the policy is extended, this works for me:

cat << EOF > grafana_tmp.cil
(filecon "/usr/bin/grafana-cli" file (system_u object_r grafana_exec_t ((s0) (s0))))
(filecon "/usr/bin/grafana-server" file (system_u object_r grafana_exec_t ((s0) (s0))))
(filecon "/usr/bin/grafana" file (system_u object_r grafana_exec_t ((s0) (s0))))
EOF

sudo semodule -i grafana_tmp.cil

Comment 3 Jan Kurik 2024-08-01 18:14:03 UTC

Fixed in grafana-10.2.6-5.fc41 build.

Comment 4 Aoife Moloney 2025-02-26 13:10:34 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.

Note You need to log in before you can comment on or make changes to this bug.