Fix AVC denials found when testing

2023-11-15 11:48:55 -05:00 · 2023-11-15 11:48:55 -05:00 · 756e76aa17
commit 756e76aa17
parent 2952ea608f
2 changed files with 20 additions and 1 deletions
--- a/grafana.spec
+++ b/grafana.spec
@ -25,7 +25,7 @@ end}

 Name:             grafana
 Version:          9.2.10
-Release:          8%{?dist}
+Release:          9%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@ -1004,6 +1004,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp

 %changelog
+* Thu Nov 9 2023 Sam Feifer <sfeifer@redhat.com> - 9.2.10-9
+- Fix AVC denials found when testing
+
 * Thu Nov 9 2023 Sam Feifer <sfeifer@redhat.com> - 9.2.10-8
 - Hide relabeling messages from selinux when installing/uninstalling 
 
--- a/grafana.te
+++ b/grafana.te
@ -87,6 +87,22 @@ allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };

 allow grafana_t self:unix_stream_socket connectto;

+optional_policy(`
+	require {
+		type smtp_port_t;
+		class tcp_socket { name_connect };
+	}
+	allow grafana_t smtp_port_t:tcp_socket name_connect;
+')
+
+optional_policy(`
+	require {
+		type usr_t;
+		class file { execute };
+	}
+	allow grafana_t usr_t:file execute;
+')
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)