From 4ccae24676149d50e35ac297fada4447bb563ee9 Mon Sep 17 00:00:00 2001 From: Sam Feifer Date: Wed, 5 Feb 2025 11:40:11 -0500 Subject: [PATCH] Resolves: RHEL-75921 --- grafana.spec | 5 ++++- grafana.te | 16 ++++++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/grafana.spec b/grafana.spec index 3c292b5..88ae423 100644 --- a/grafana.spec +++ b/grafana.spec @@ -35,7 +35,7 @@ end} Name: grafana Version: 9.2.10 -Release: 21%{?dist} +Release: 22%{?dist} Summary: Metrics dashboard and graph editor License: AGPLv3 URL: https://grafana.org @@ -1021,6 +1021,9 @@ fi %{_datadir}/selinux/*/grafana.pp %changelog +* Wed Feb 5 2025 Sam Feifer 9.2.10-22 +- Resolves RHEL-75921: grafana selinux issue with autofs_t + * Wed Jan 15 2025 Sam Feifer 9.2.10-21 - Resolves RHEL-72881: CVE-2025-21614 - Resolves RHEL-72869: CVE-2025-21613 diff --git a/grafana.te b/grafana.te index c4d6a50..8e1b117 100644 --- a/grafana.te +++ b/grafana.te @@ -126,6 +126,14 @@ optional_policy(` allow grafana_t postgresql_var_run_t:sock_file write; ') +optional_policy(` + require { + type autofs_t; + class dir {getattr}; + } + allow grafana_t autofs_t:dir getattr; +') + manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t) manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t) @@ -189,14 +197,14 @@ tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3 corenet_tcp_connect_mysqld_port(grafana_t) ') -tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432 - corenet_tcp_connect_postgresql_port(grafana_t) -') - tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090 corenet_tcp_connect_websm_port(grafana_t) ') +tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432 + corenet_tcp_connect_postgresql_port(grafana_t) +') + optional_policy(` systemd_private_tmp(grafana_tmp_t) ')