Fixes postgresql AVC denial
Fixes coredump from AVC denial Resolves: RHEL-19596
This commit is contained in:
Sam Feifer
parent
c90ce7cb55
commit
ceeb8ba298
13
0012-coredump-selinux-error.patch
Normal file
13
0012-coredump-selinux-error.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/pkg/framework/coremodel/helpers.go b/pkg/framework/coremodel/helpers.go
|
||||||
|
index 20d111edba..6655f81cee 100644
|
||||||
|
--- a/pkg/framework/coremodel/helpers.go
|
||||||
|
+++ b/pkg/framework/coremodel/helpers.go
|
||||||
|
@@ -26,7 +26,7 @@ func init() {
|
||||||
|
var err error
|
||||||
|
defaultFramework, err = doLoadFrameworkCUE(cuectx.ProvideCUEContext())
|
||||||
|
if err != nil {
|
||||||
|
- panic(err)
|
||||||
|
+// panic(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
10
grafana.spec
10
grafana.spec
@ -35,7 +35,7 @@ end}
|
|||||||
|
|
||||||
Name: grafana
|
Name: grafana
|
||||||
Version: 9.2.10
|
Version: 9.2.10
|
||||||
Release: 12%{?dist}
|
Release: 14%{?dist}
|
||||||
Summary: Metrics dashboard and graph editor
|
Summary: Metrics dashboard and graph editor
|
||||||
License: AGPLv3
|
License: AGPLv3
|
||||||
URL: https://grafana.org
|
URL: https://grafana.org
|
||||||
@ -86,6 +86,7 @@ Patch7: 0007-fix-alert-test.patch
|
|||||||
Patch8: 0008-graphite-functions-xss.patch
|
Patch8: 0008-graphite-functions-xss.patch
|
||||||
Patch10: 0010-skip-tests.patch
|
Patch10: 0010-skip-tests.patch
|
||||||
Patch11: 0011-remove-email-lookup.patch
|
Patch11: 0011-remove-email-lookup.patch
|
||||||
|
Patch12: 0012-coredump-selinux-error.patch
|
||||||
|
|
||||||
# Patches affecting the vendor tarball
|
# Patches affecting the vendor tarball
|
||||||
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
|
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
|
||||||
@ -771,6 +772,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
|
|||||||
%patch -P 8 -p1
|
%patch -P 8 -p1
|
||||||
%patch -P 10 -p1
|
%patch -P 10 -p1
|
||||||
%patch -P 11 -p1
|
%patch -P 11 -p1
|
||||||
|
%patch -P 12 -p1
|
||||||
|
|
||||||
%patch -P 1001 -p1
|
%patch -P 1001 -p1
|
||||||
%if %{enable_fips_mode}
|
%if %{enable_fips_mode}
|
||||||
@ -1017,6 +1019,12 @@ fi
|
|||||||
%{_datadir}/selinux/*/grafana.pp
|
%{_datadir}/selinux/*/grafana.pp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 18 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
|
||||||
|
- Resolves RHEL-19596
|
||||||
|
- Fixes coredump issue introduced by selinux
|
||||||
|
- Patches out call to panic when trying to walk "/" directory
|
||||||
|
- Fixes postgresql AVC denial
|
||||||
|
|
||||||
* Fri Dec 1 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
|
* Fri Dec 1 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
|
||||||
- Resolves RHEL-7503
|
- Resolves RHEL-7503
|
||||||
- Adds a selinux policy for grafana
|
- Adds a selinux policy for grafana
|
||||||
|
|||||||
11
grafana.te
11
grafana.te
@ -105,6 +105,17 @@ optional_policy(`
|
|||||||
allow grafana_t usr_t:file { execute execute_no_trans };
|
allow grafana_t usr_t:file { execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
require {
|
||||||
|
type postgresql_t;
|
||||||
|
type postgresql_var_run_t;
|
||||||
|
class unix_stream_socket { connectto };
|
||||||
|
class sock_file { write };
|
||||||
|
}
|
||||||
|
allow grafana_t postgresql_t:unix_stream_socket connectto;
|
||||||
|
allow grafana_t postgresql_var_run_t:sock_file write;
|
||||||
|
')
|
||||||
|
|
||||||
manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||||
manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user