Resolves: RHEL-89943

0013-fix-CVE-2025-4123.patch

@@ -0,0 +1,32 @@
+From 2d4314b5ca1e527a3420fad11d3f1a25351700d4 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Wed, 7 May 2025 16:27:08 -0400
+Subject: [PATCH] fix CVE-2025-4123
+
+
+diff --git a/conf/defaults.ini b/conf/defaults.ini
+index e1e5468bfa3..4221144bf54 100644
+--- a/conf/defaults.ini
++++ b/conf/defaults.ini
+@@ -363,7 +363,7 @@ x_xss_protection = true
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-content_security_policy = false
++content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+diff --git a/conf/sample.ini b/conf/sample.ini
+index 51d2b6c512b..fd588b48225 100644
+--- a/conf/sample.ini
++++ b/conf/sample.ini
+@@ -364,7 +364,7 @@
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-;content_security_policy = false
++;content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.

grafana.spec

@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          16%{?dist}
+Release:          17%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -78,6 +78,7 @@ Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          0011-fix-dompurify-CVE.patch
 Patch12:          0012-fix-jwt-CVE.patch
+Patch13:          0013-fix-CVE-2025-4123.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -739,15 +740,13 @@ Graphite, InfluxDB & OpenTSDB.
 
 # SELinux package
 %package selinux
-Summary:        SELinux policy module supporting grafana
-BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
-%if "%{_selinux_policy_version}" != ""
-Requires:       selinux-policy >= %{_selinux_policy_version}
-%endif
-Requires:       %{name} = %{version}-%{release}
-Requires:	selinux-policy-targeted
-Requires(post):   /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
-Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
+Summary:             SELinux policy module supporting grafana
+BuildArch:           noarch
+Requires:            %{name} = %{version}-%{release}
+Requires:	           selinux-policy-targeted
+Requires(post):      selinux-policy-targeted, /usr/sbin/semanage
+Requires(postun):    /usr/sbin/semanage
+BuildRequires:       selinux-policy-devel
 
 %description selinux
 SELinux policy module supporting grafana
@@ -762,10 +761,6 @@ rm -r plugins-bundled
 %setup -q -T -D -b 2
 %endif
 
-# SELinux policy
-mkdir SELinux
-cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
-
 %patch -P 1 -p1
 %patch -P 2 -p1
 %patch -P 3 -p1
@@ -778,6 +773,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -807,14 +803,11 @@ for cmd in grafana grafana-cli grafana-server; do
 done
 
 # SELinux policy
-cd SELinux
-for selinuxvariant in %{selinux_variants}
-do
-  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
-  mv grafana.pp grafana.pp.${selinuxvariant}
-  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
-done
-cd -
+mkdir selinux
+cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} selinux
+
+make -f %{_datadir}/selinux/devel/Makefile grafana.pp
+bzip2 -9 grafana.pp
 
 
 %install
@@ -880,14 +873,12 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \
 install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
 
 # SELinux policy
-cd SELinux
 for selinuxvariant in %{selinux_variants}
 do
-  install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
-  install -p -m 644 grafana.pp.${selinuxvariant} \
-    %{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp
+  install -D -m 0644 grafana.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2
+  install -D -p -m 0644 selinux/grafana.if \
+    %{buildroot}%{_datadir}/selinux/devel/include/distributed/grafana.if
 done
-cd -
 
 %pre
 %sysusers_create_compat %{SOURCE3}
@@ -993,39 +984,50 @@ export GOEXPERIMENT=boringcrypto
 %doc README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md
 
 # SELinux policy
+%pre selinux
+for selinuxvariant in %{selinux_variants}
+do
+  %selinux_relabel_pre -s ${selinuxvariant}
+done
+
 %post selinux
 for selinuxvariant in %{selinux_variants}
 do
-  /usr/sbin/semodule -s ${selinuxvariant} -i \
-    %{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || :
+  %selinux_modules_install -s ${selinuxvariant} %{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2 &>/dev/null
+  /usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
+  semodule -X400 -r grafana &>/dev/null || true
+  %selinux_relabel_post -s ${selinuxvariant}
 done
-/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
-/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
-/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
-/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
-/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
-/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
 
-%postun selinux
-if [ $1 -eq 0 ] ; then
-/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
-  for selinuxvariant in %{selinux_variants}
-  do
-    /usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || :
-  done
-  /sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
-  /sbin/restorecon -RvF /etc/grafana &> /dev/null || :
-  /sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
-  /sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
-  /sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
+if [ "$1" -le "1" ]; then # First install
+   # The daemon needs to be restarted for the custom label to be applied.
+   # This will fail in case "post selinux" is executed before the service file is installed,
+   # but then it is safe to ignore since the service will first start with the proper label
+   %systemd_postun_with_restart grafana.service &> /dev/null || :
 fi
 
+%postun selinux
+for selinuxvariant in %{selinux_variants}
+do
+  if [ $1 -eq 0 ]; then
+    /usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
+    %selinux_modules_uninstall -s ${selinuxvariant} grafana
+    %selinux_relabel_post -s ${selinuxvariant}
+  fi
+done
+
 %files selinux
-%defattr(-,root,root,0755)
-%doc SELinux/*
-%{_datadir}/selinux/*/grafana.pp
+%{_datadir}/selinux/packages/*/grafana.pp.*
+%{_datadir}/selinux/devel/include/distributed/grafana.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana
 
 %changelog
+* Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-17
+- Resolves RHEL-89943: CVE-2025-4123
+- Added selinux rules for ldap and other observed selinux denials
+- Reworked the spec file selinux sections
+- Fixed the priority of the selinux policy
+
 * Tue Apr 29 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-16
 - Resolves RHEL-85420: Move home directory of grafana to /var/lib/grafana
 

grafana.te

@@ -27,13 +27,6 @@ gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_mysql_port, false)
 
-## <desc>
-## <p>
-## Allow grafana to connect to postgresql's default tcp port of 5432
-## </p>
-## </desc>
-gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
-
 ## <desc>
 ## <p>
 ## Allow grafana to connect to prometheus' default tcp port of 9090
@@ -41,6 +34,20 @@ gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
 
+## <desc>            
+## <p>
+## Allow grafana to connect to postgresql's default tcp port of 5432            
+## </p>            
+## </desc>            
+gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
+
+## <desc>            
+## <p>
+## Allow grafana to connect to ldap's tcp port           
+## </p>            
+## </desc>  
+gen_tunable(grafana_can_tcp_connect_ldap_port, false)
+
 
 type grafana_t;
 type grafana_exec_t;
@@ -95,6 +102,9 @@ allow grafana_t self:unix_dgram_socket create_socket_perms;
 
 allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
 
+allow grafana_t grafana_var_lib_t:file { execute execute_no_trans };
+allow grafana_t grafana_var_lib_t:file map;
+
 allow grafana_t self:unix_stream_socket connectto;
 
 allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
@@ -107,6 +117,14 @@ optional_policy(`
 	allow grafana_t smtp_port_t:tcp_socket name_connect;
 ')
 
+optional_policy(`
+	require {
+		type ntop_port_t;
+		class tcp_socket { name_bind };
+	}
+	allow grafana_t ntop_port_t:tcp_socket name_bind;
+')
+
 optional_policy(`
 	require {
 		type usr_t;
@@ -142,6 +160,14 @@ optional_policy(`
 	allow grafana_t autofs_t:dir getattr;
 ')
 
+optional_policy(`
+	require {
+		type postfix_local_t;
+		class dir { search };
+	}
+	allow postfix_local_t grafana_var_lib_t:dir search;
+')
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 
@@ -213,6 +239,10 @@ tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default
 	corenet_tcp_connect_postgresql_port(grafana_t)
 ')
 
+tunable_policy(`grafana_can_tcp_connect_ldap_port',`
+	corenet_tcp_connect_ldap_port(grafana_t)
+')
+
 optional_policy(`
     systemd_private_tmp(grafana_tmp_t)
 ')