From 6b65fa42b4639a80da9052b3442b2bf561ebab79 Mon Sep 17 00:00:00 2001 From: Sam Feifer Date: Tue, 13 May 2025 11:17:40 -0400 Subject: [PATCH] Resolves: RHEL-89943 --- 0013-fix-CVE-2025-4123.patch | 32 +++++++++++ grafana.spec | 102 ++++++++++++++++++----------------- grafana.te | 44 ++++++++++++--- 3 files changed, 121 insertions(+), 57 deletions(-) create mode 100644 0013-fix-CVE-2025-4123.patch diff --git a/0013-fix-CVE-2025-4123.patch b/0013-fix-CVE-2025-4123.patch new file mode 100644 index 0000000..5204e37 --- /dev/null +++ b/0013-fix-CVE-2025-4123.patch @@ -0,0 +1,32 @@ +From 2d4314b5ca1e527a3420fad11d3f1a25351700d4 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Wed, 7 May 2025 16:27:08 -0400 +Subject: [PATCH] fix CVE-2025-4123 + + +diff --git a/conf/defaults.ini b/conf/defaults.ini +index e1e5468bfa3..4221144bf54 100644 +--- a/conf/defaults.ini ++++ b/conf/defaults.ini +@@ -363,7 +363,7 @@ x_xss_protection = true + + # Enable adding the Content-Security-Policy header to your requests. + # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks. +-content_security_policy = false ++content_security_policy = true + + # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. + # $NONCE in the template includes a random nonce. +diff --git a/conf/sample.ini b/conf/sample.ini +index 51d2b6c512b..fd588b48225 100644 +--- a/conf/sample.ini ++++ b/conf/sample.ini +@@ -364,7 +364,7 @@ + + # Enable adding the Content-Security-Policy header to your requests. + # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks. +-;content_security_policy = false ++;content_security_policy = true + + # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. + # $NONCE in the template includes a random nonce. diff --git a/grafana.spec b/grafana.spec index ce58678..5dfdfe1 100644 --- a/grafana.spec +++ b/grafana.spec @@ -25,7 +25,7 @@ end} Name: grafana Version: 10.2.6 -Release: 16%{?dist} +Release: 17%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -78,6 +78,7 @@ Patch9: 0009-update-wrappers-and-systemd-with-distro-paths.patch Patch10: 0010-remove-bcrypt-references.patch Patch11: 0011-fix-dompurify-CVE.patch Patch12: 0012-fix-jwt-CVE.patch +Patch13: 0013-fix-CVE-2025-4123.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -739,15 +740,13 @@ Graphite, InfluxDB & OpenTSDB. # SELinux package %package selinux -Summary: SELinux policy module supporting grafana -BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted -%if "%{_selinux_policy_version}" != "" -Requires: selinux-policy >= %{_selinux_policy_version} -%endif -Requires: %{name} = %{version}-%{release} -Requires: selinux-policy-targeted -Requires(post): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana -Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana +Summary: SELinux policy module supporting grafana +BuildArch: noarch +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy-targeted +Requires(post): selinux-policy-targeted, /usr/sbin/semanage +Requires(postun): /usr/sbin/semanage +BuildRequires: selinux-policy-devel %description selinux SELinux policy module supporting grafana @@ -762,10 +761,6 @@ rm -r plugins-bundled %setup -q -T -D -b 2 %endif -# SELinux policy -mkdir SELinux -cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux - %patch -P 1 -p1 %patch -P 2 -p1 %patch -P 3 -p1 @@ -778,6 +773,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux %patch -P 10 -p1 %patch -P 11 -p1 %patch -P 12 -p1 +%patch -P 13 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -807,14 +803,11 @@ for cmd in grafana grafana-cli grafana-server; do done # SELinux policy -cd SELinux -for selinuxvariant in %{selinux_variants} -do - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile - mv grafana.pp grafana.pp.${selinuxvariant} - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean -done -cd - +mkdir selinux +cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} selinux + +make -f %{_datadir}/selinux/devel/Makefile grafana.pp +bzip2 -9 grafana.pp %install @@ -880,14 +873,12 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \ install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf # SELinux policy -cd SELinux for selinuxvariant in %{selinux_variants} do - install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} - install -p -m 644 grafana.pp.${selinuxvariant} \ - %{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp + install -D -m 0644 grafana.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2 + install -D -p -m 0644 selinux/grafana.if \ + %{buildroot}%{_datadir}/selinux/devel/include/distributed/grafana.if done -cd - %pre %sysusers_create_compat %{SOURCE3} @@ -993,39 +984,50 @@ export GOEXPERIMENT=boringcrypto %doc README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md # SELinux policy +%pre selinux +for selinuxvariant in %{selinux_variants} +do + %selinux_relabel_pre -s ${selinuxvariant} +done + %post selinux for selinuxvariant in %{selinux_variants} do - /usr/sbin/semodule -s ${selinuxvariant} -i \ - %{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || : + %selinux_modules_install -s ${selinuxvariant} %{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2 &>/dev/null + /usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || : + semodule -X400 -r grafana &>/dev/null || true + %selinux_relabel_post -s ${selinuxvariant} done -/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || : -/sbin/restorecon -RvF /etc/grafana &> /dev/null || : -/sbin/restorecon -RvF /var/log/grafana &> /dev/null || : -/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || : -/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || : -/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || : -%postun selinux -if [ $1 -eq 0 ] ; then -/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || : - for selinuxvariant in %{selinux_variants} - do - /usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || : - done - /sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || : - /sbin/restorecon -RvF /etc/grafana &> /dev/null || : - /sbin/restorecon -RvF /var/log/grafana &> /dev/null || : - /sbin/restorecon -RvF /var/lib/grafana &> /dev/null || : - /sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || : +if [ "$1" -le "1" ]; then # First install + # The daemon needs to be restarted for the custom label to be applied. + # This will fail in case "post selinux" is executed before the service file is installed, + # but then it is safe to ignore since the service will first start with the proper label + %systemd_postun_with_restart grafana.service &> /dev/null || : fi +%postun selinux +for selinuxvariant in %{selinux_variants} +do + if [ $1 -eq 0 ]; then + /usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || : + %selinux_modules_uninstall -s ${selinuxvariant} grafana + %selinux_relabel_post -s ${selinuxvariant} + fi +done + %files selinux -%defattr(-,root,root,0755) -%doc SELinux/* -%{_datadir}/selinux/*/grafana.pp +%{_datadir}/selinux/packages/*/grafana.pp.* +%{_datadir}/selinux/devel/include/distributed/grafana.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana %changelog +* Tue May 13 2025 Sam Feifer 10.2.6-17 +- Resolves RHEL-89943: CVE-2025-4123 +- Added selinux rules for ldap and other observed selinux denials +- Reworked the spec file selinux sections +- Fixed the priority of the selinux policy + * Tue Apr 29 2025 Sam Feifer 10.2.6-16 - Resolves RHEL-85420: Move home directory of grafana to /var/lib/grafana diff --git a/grafana.te b/grafana.te index 910fd54..40efc62 100644 --- a/grafana.te +++ b/grafana.te @@ -27,13 +27,6 @@ gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false) ## gen_tunable(grafana_can_tcp_connect_mysql_port, false) -## -##

-## Allow grafana to connect to postgresql's default tcp port of 5432 -##

-## -gen_tunable(grafana_can_tcp_connect_postgresql_port, false) - ## ##

## Allow grafana to connect to prometheus' default tcp port of 9090 @@ -41,6 +34,20 @@ gen_tunable(grafana_can_tcp_connect_postgresql_port, false) ## gen_tunable(grafana_can_tcp_connect_prometheus_port, false) +## +##

+## Allow grafana to connect to postgresql's default tcp port of 5432 +##

+## +gen_tunable(grafana_can_tcp_connect_postgresql_port, false) + +## +##

+## Allow grafana to connect to ldap's tcp port +##

+## +gen_tunable(grafana_can_tcp_connect_ldap_port, false) + type grafana_t; type grafana_exec_t; @@ -95,6 +102,9 @@ allow grafana_t self:unix_dgram_socket create_socket_perms; allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect }; +allow grafana_t grafana_var_lib_t:file { execute execute_no_trans }; +allow grafana_t grafana_var_lib_t:file map; + allow grafana_t self:unix_stream_socket connectto; allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read }; @@ -107,6 +117,14 @@ optional_policy(` allow grafana_t smtp_port_t:tcp_socket name_connect; ') +optional_policy(` + require { + type ntop_port_t; + class tcp_socket { name_bind }; + } + allow grafana_t ntop_port_t:tcp_socket name_bind; +') + optional_policy(` require { type usr_t; @@ -142,6 +160,14 @@ optional_policy(` allow grafana_t autofs_t:dir getattr; ') +optional_policy(` + require { + type postfix_local_t; + class dir { search }; + } + allow postfix_local_t grafana_var_lib_t:dir search; +') + manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t) manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t) @@ -213,6 +239,10 @@ tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default corenet_tcp_connect_postgresql_port(grafana_t) ') +tunable_policy(`grafana_can_tcp_connect_ldap_port',` + corenet_tcp_connect_ldap_port(grafana_t) +') + optional_policy(` systemd_private_tmp(grafana_tmp_t) ')