From 8107b4cbab2425ef65fc56e1bb384426f9f1371c Mon Sep 17 00:00:00 2001
From: Sam Feifer <sfeifer@redhat.com>
Date: Tue, 17 Jun 2025 13:52:39 -0400
Subject: [PATCH] Reverts: RHEL-92648

This reverts commit 8d4e5fb6e851a480e1b2bdd440250f6a11b953ff.
---
 grafana.spec | 95 ++++++++++++++++++++++++++++------------------------
 grafana.te   | 43 ++++--------------------
 2 files changed, 58 insertions(+), 80 deletions(-)

diff --git a/grafana.spec b/grafana.spec
index 01e34e1..141f834 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          19%{?dist}
+Release:          18%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -118,7 +118,7 @@ Requires:         shared-mime-info
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 8
 # This ensures that the grafana-selinux package and all its dependencies are
 # not pulled into containers and other systems that do not use SELinux
-Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-any)
+Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-targeted)
 %else
 Requires: grafana-selinux = %{version}-%{release}
 %endif
@@ -740,11 +740,15 @@ Graphite, InfluxDB & OpenTSDB.
 
 # SELinux package
 %package selinux
-Summary:             SELinux policy module supporting grafana
-Requires:	           selinux-policy-any
-Requires(post):      selinux-policy-any, /usr/sbin/semanage
-Requires(postun):    /usr/sbin/semanage
-BuildRequires:       selinux-policy-devel
+Summary:        SELinux policy module supporting grafana
+BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
+%if "%{_selinux_policy_version}" != ""
+Requires:       selinux-policy >= %{_selinux_policy_version}
+%endif
+Requires:       %{name} = %{version}-%{release}
+Requires:	selinux-policy-targeted
+Requires(post):   /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
+Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
 
 %description selinux
 SELinux policy module supporting grafana
@@ -759,6 +763,10 @@ rm -r plugins-bundled
 %setup -q -T -D -b 2
 %endif
 
+# SELinux policy
+mkdir SELinux
+cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
+
 %patch -P 1 -p1
 %patch -P 2 -p1
 %patch -P 3 -p1
@@ -801,11 +809,15 @@ for cmd in grafana grafana-cli grafana-server; do
 done
 
 # SELinux policy
-mkdir selinux
-cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} selinux
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  mv grafana.pp grafana.pp.${selinuxvariant}
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
 
-make -f %{_datadir}/selinux/devel/Makefile grafana.pp
-bzip2 -9 grafana.pp
 
 %install
 # dirs, shared files, public html, webpack
@@ -870,12 +882,14 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \
 install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
 
 # SELinux policy
+cd SELinux
 for selinuxvariant in %{selinux_variants}
 do
-  install -D -m 0644 grafana.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2
-  install -D -p -m 0644 selinux/grafana.if \
-    %{buildroot}%{_datadir}/selinux/devel/include/distributed/grafana.if
+  install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+  install -p -m 644 grafana.pp.${selinuxvariant} \
+    %{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp
 done
+cd -
 
 %pre
 %sysusers_create_compat %{SOURCE3}
@@ -981,46 +995,39 @@ export GOEXPERIMENT=boringcrypto
 %doc README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md
 
 # SELinux policy
-%pre selinux
-%selinux_relabel_pre
-
 %post selinux
 for selinuxvariant in %{selinux_variants}
 do
-  %selinux_modules_install -s ${selinuxvariant} %{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2 &>/dev/null
-  /usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
-  semodule -X400 -r grafana &>/dev/null || true
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || :
 done
-%selinux_relabel_post
-
-if [ "$1" -le "1" ]; then # First install
-   # The daemon needs to be restarted for the custom label to be applied.
-   # This will fail in case "post selinux" is executed before the service file is installed,
-   # but then it is safe to ignore since the service will first start with the proper label
-   %systemd_postun_with_restart grafana.service &> /dev/null || :
-fi
+/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
+/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
+/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
+/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
+/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
+/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
 
 %postun selinux
-for selinuxvariant in %{selinux_variants}
-do
-  if [ $1 -eq 0 ]; then
-    /usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
-    %selinux_modules_uninstall -s ${selinuxvariant} grafana
-    %selinux_relabel_post -s ${selinuxvariant}
-  fi
-done
+if [ $1 -eq 0 ] ; then
+/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
+  for selinuxvariant in %{selinux_variants}
+  do
+    /usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || :
+  done
+  /sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
+  /sbin/restorecon -RvF /etc/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
+fi
 
 %files selinux
-%{_datadir}/selinux/packages/*/grafana.pp.*
-%{_datadir}/selinux/devel/include/distributed/grafana.if
-%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana
+%defattr(-,root,root,0755)
+%doc SELinux/*
+%{_datadir}/selinux/*/grafana.pp
 
 %changelog
-* Tue May 20 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-19
-- Resolves RHEL-92648: Added selinux rules for ldap and other observed selinux denials
-- Reworked the spec file selinux sections
-- Fixed the priority of the selinux policy
-
 * Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-18
 - Resolves RHEL-89943: CVE-2025-4123
 
diff --git a/grafana.te b/grafana.te
index 41f0cb3..910fd54 100644
--- a/grafana.te
+++ b/grafana.te
@@ -27,6 +27,13 @@ gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_mysql_port, false)
 
+## <desc>
+## <p>
+## Allow grafana to connect to postgresql's default tcp port of 5432
+## </p>
+## </desc>
+gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
+
 ## <desc>
 ## <p>
 ## Allow grafana to connect to prometheus' default tcp port of 9090
@@ -34,19 +41,6 @@ gen_tunable(grafana_can_tcp_connect_mysql_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
 
-## <desc>            
-## <p>
-## Allow grafana to connect to postgresql's default tcp port of 5432            
-## </p>            
-## </desc>            
-gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
-
-## <desc>            
-## <p>
-## Allow grafana to connect to ldap's tcp port           
-## </p>            
-## </desc>  
-gen_tunable(grafana_can_tcp_connect_ldap_port, false)
 
 type grafana_t;
 type grafana_exec_t;
@@ -101,9 +95,6 @@ allow grafana_t self:unix_dgram_socket create_socket_perms;
 
 allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
 
-allow grafana_t grafana_var_lib_t:file { execute execute_no_trans };
-allow grafana_t grafana_var_lib_t:file map;
-
 allow grafana_t self:unix_stream_socket connectto;
 
 allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
@@ -116,14 +107,6 @@ optional_policy(`
 	allow grafana_t smtp_port_t:tcp_socket name_connect;
 ')
 
-optional_policy(`
-	require {
-		type ntop_port_t;
-		class tcp_socket { name_bind };
-	}
-	allow grafana_t ntop_port_t:tcp_socket name_bind;
-')
-
 optional_policy(`
 	require {
 		type usr_t;
@@ -159,14 +142,6 @@ optional_policy(`
 	allow grafana_t autofs_t:dir getattr;
 ')
 
-optional_policy(`
-	require {
-		type postfix_local_t;
-		class dir { search };
-	}
-	allow postfix_local_t grafana_var_lib_t:dir search;
-')
-
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 
@@ -238,10 +213,6 @@ tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default
 	corenet_tcp_connect_postgresql_port(grafana_t)
 ')
 
-tunable_policy(`grafana_can_tcp_connect_ldap_port',`
-	corenet_tcp_connect_ldap_port(grafana_t)
-')
-
 optional_policy(`
     systemd_private_tmp(grafana_tmp_t)
 ')