Fix postgresql AVC denials

2023-12-18 10:42:57 -05:00 · 2023-12-18 10:42:57 -05:00 · 0a301faf67
commit 0a301faf67
parent 51103637cb
2 changed files with 15 additions and 1 deletions
--- a/grafana.spec
+++ b/grafana.spec
@ -25,7 +25,7 @@ end}

 Name:             grafana
 Version:          9.2.10
-Release:          13%{?dist}
+Release:          14%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@ -1006,6 +1006,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp

 %changelog
+* Mon  Dec 18 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
+- Fixes postgresql AVC denials
+
 * Fri  Dec 15 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-13
 - Fixes coredump issue introduced by selinux
 - Patches out call to panic when trying to walk "/" directory
--- a/grafana.te
+++ b/grafana.te
@ -106,6 +106,17 @@ optional_policy(`
 ')


+optional_policy(`
+	require {
+		type postgresql_t;
+		type postgresql_var_run_t;
+		class unix_stream_socket { connectto };
+		class sock_file { write };
+	}
+	allow grafana_t postgresql_t:unix_stream_socket connectto;
+	allow grafana_t postgresql_var_run_t:sock_file write;
+')
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)