Resolves: RHEL-75921

grafana.spec

@@ -35,7 +35,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          21%{?dist}
+Release:          22%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -1021,6 +1021,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Wed Feb 5 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-22
+- Resolves RHEL-75921: grafana selinux issue with autofs_t
+
 * Wed Jan 15 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-21
 - Resolves RHEL-72881: CVE-2025-21614
 - Resolves RHEL-72869: CVE-2025-21613

grafana.te

@@ -126,6 +126,14 @@ optional_policy(`
 	allow grafana_t postgresql_var_run_t:sock_file write;
 ')
 
+optional_policy(`
+	require {
+		type autofs_t;
+		class dir {getattr};
+	}
+	allow grafana_t autofs_t:dir getattr;
+')
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 
@@ -189,14 +197,14 @@ tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3
 	corenet_tcp_connect_mysqld_port(grafana_t)
 ')
 
-tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432
-	corenet_tcp_connect_postgresql_port(grafana_t)
-')
-
 tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090
 	corenet_tcp_connect_websm_port(grafana_t)
 ')
 
+tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432
+	corenet_tcp_connect_postgresql_port(grafana_t)
+')
+
 optional_policy(`
     systemd_private_tmp(grafana_tmp_t)
 ')