The problem does not seem to be severe, because the service starts and run successfully with the default configuration. However, SELinux denials appear every time the test is executed. Reproducible: Always Steps to Reproduce: 1. get a Fedora rawhide machine 2. run the following automated test: selinux-policy/Regression/grafana-server-and-similar 3. search for SELinux denials Actual Results: ---- type=PROCTITLE msg=audit(09/30/2025 09:47:12.095:526) : proctitle=/usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:def type=PATH msg=audit(09/30/2025 09:47:12.095:526) : item=0 name=/sys/fs/cgroup/system.slice/grafana-server.service/memory.pressure/system.slice/grafana-server.service/cpu.max nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/30/2025 09:47:12.095:526) : cwd=/usr/share/grafana type=SYSCALL msg=audit(09/30/2025 09:47:12.095:526) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x555b05a0de40 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=10422 auid=unset uid=grafana gid=grafana euid=grafana suid=grafana fsuid=grafana egid=grafana sgid=grafana fsgid=grafana tty=(none) ses=unset comm=grafana exe=/usr/bin/grafana subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(09/30/2025 09:47:12.095:526) : avc: denied { search } for pid=10422 comm=grafana name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(09/30/2025 09:47:12.326:527) : proctitle=/usr/libexec/grafana-pcp/datasources/valkey/pcp_valkey_datasource_linux_amd64 type=PATH msg=audit(09/30/2025 09:47:12.326:527) : item=0 name=/sys/fs/cgroup/system.slice/grafana-server.service/memory.pressure/system.slice/grafana-server.service/cpu.max nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/30/2025 09:47:12.326:527) : cwd=/usr/share/grafana type=SYSCALL msg=audit(09/30/2025 09:47:12.326:527) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5654776be0e0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=10422 pid=10430 auid=unset uid=grafana gid=grafana euid=grafana suid=grafana fsuid=grafana egid=grafana sgid=grafana fsgid=grafana tty=(none) ses=unset comm=pcp_valkey_data exe=/usr/libexec/grafana-pcp/datasources/valkey/pcp_valkey_datasource_linux_amd64 subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(09/30/2025 09:47:12.326:527) : avc: denied { search } for pid=10430 comm=pcp_valkey_data name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- Expected Results: no SELinux denials
The following SELinux denials appear in permissive mode: ---- type=PROCTITLE msg=audit(09/30/2025 10:13:18.577:534) : proctitle=/usr/sbin/grafana server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:def type=PATH msg=audit(09/30/2025 10:13:18.577:534) : item=0 name=/sys/fs/cgroup/system.slice/grafana-server.service/memory.pressure/system.slice/grafana-server.service/cpu.max nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/30/2025 10:13:18.577:534) : cwd=/usr/share/grafana type=SYSCALL msg=audit(09/30/2025 10:13:18.577:534) : arch=x86_64 syscall=openat success=no exit=ENOTDIR(Not a directory) a0=AT_FDCWD a1=0x5596df1eee40 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=13824 auid=unset uid=grafana gid=grafana euid=grafana suid=grafana fsuid=grafana egid=grafana sgid=grafana fsgid=grafana tty=(none) ses=unset comm=grafana exe=/usr/bin/grafana subj=system_u:system_r:grafana_t:s0 key=(null) type=AVC msg=audit(09/30/2025 10:13:18.577:534) : avc: denied { search } for pid=13824 comm=grafana name=grafana-server.service dev="cgroup2" ino=7018 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(09/30/2025 10:13:18.577:534) : avc: denied { search } for pid=13824 comm=grafana name=system.slice dev="cgroup2" ino=76 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(09/30/2025 10:13:18.577:534) : avc: denied { search } for pid=13824 comm=grafana name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:grafana_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 ---- # rpm -qa seli\* grafana\* | sort grafana-10.2.6-19.fc44.x86_64 grafana-pcp-5.3.0-3.fc44.x86_64 grafana-selinux-10.2.6-19.fc44.noarch selinux-policy-42.11-1.fc44.noarch selinux-policy-devel-42.11-1.fc44.noarch selinux-policy-targeted-42.11-1.fc44.noarch #
FEDORA-2025-f12019ab95 (grafana-10.2.6-21.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-f12019ab95
FEDORA-2025-f12019ab95 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-f12019ab95` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-f12019ab95 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-e5be13890a has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e5be13890a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e5be13890a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.