From 1159ac80deb9e6686f3bc2d8bbe4230f446e2b0d Mon Sep 17 00:00:00 2001
From: Sam Feifer <sfeifer@redhat.com>
Date: Tue, 19 Dec 2023 10:44:09 -0500
Subject: [PATCH] Fixes postgresql AVC denial Related: RHEL-7505

---
 grafana.spec |  6 +++++-
 grafana.te   | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/grafana.spec b/grafana.spec
index fee8b2e..e0cf7d1 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          13%{?dist}
+Release:          14%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -1008,6 +1008,10 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue Dec 19 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
+- Fixes postgresql AVC denial
+- Related RHEL-7505
+
 * Thu Dec 14 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-13
 - Resolves RHEL-19296
 - Fixes coredump issue introduced by selinux
diff --git a/grafana.te b/grafana.te
index e69228a..6cbedb2 100644
--- a/grafana.te
+++ b/grafana.te
@@ -105,6 +105,17 @@ optional_policy(`
 	allow grafana_t usr_t:file { execute execute_no_trans };
 ')
 
+optional_policy(`
+	require {
+		type postgresql_t;
+		type postgresql_var_run_t;
+		class unix_stream_socket { connectto };
+		class sock_file { write };
+	}
+	allow grafana_t postgresql_t:unix_stream_socket connectto;
+	allow grafana_t postgresql_var_run_t:sock_file write;
+')
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)