Import from AlmaLinux beta
This commit is contained in:
parent
e1299f47a9
commit
dd9dfb6010
@ -52,7 +52,7 @@ index dafa075a2c..eda358c425 100755
|
||||
+ cfg:default.paths.logs=${LOG_DIR} \
|
||||
+ cfg:default.paths.plugins=${PLUGINS_DIR}")
|
||||
+
|
||||
+if [ "$(id -u)" -eq 0 ]; then
|
||||
+if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then
|
||||
+ cd "${GRAFANA_HOME}"
|
||||
+ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "${OPTS[@]}" "$@"
|
||||
+elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then
|
||||
|
13
SOURCES/0012-coredump-selinux-error.patch
Normal file
13
SOURCES/0012-coredump-selinux-error.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/pkg/framework/coremodel/helpers.go b/pkg/framework/coremodel/helpers.go
|
||||
index 20d111edba..6655f81cee 100644
|
||||
--- a/pkg/framework/coremodel/helpers.go
|
||||
+++ b/pkg/framework/coremodel/helpers.go
|
||||
@@ -26,7 +26,7 @@ func init() {
|
||||
var err error
|
||||
defaultFramework, err = doLoadFrameworkCUE(cuectx.ProvideCUEContext())
|
||||
if err != nil {
|
||||
- panic(err)
|
||||
+// panic(err)
|
||||
}
|
||||
}
|
||||
|
24
SOURCES/grafana.fc
Normal file
24
SOURCES/grafana.fc
Normal file
@ -0,0 +1,24 @@
|
||||
/etc/systemd/system/grafana-server.service -- gen_context(system_u:object_r:grafana_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/grafana-server.service -- gen_context(system_u:object_r:grafana_unit_file_t,s0)
|
||||
|
||||
/etc/grafana(/.*)? gen_context(system_u:object_r:grafana_conf_t,s0)
|
||||
|
||||
/usr/sbin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||
/usr/sbin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||
|
||||
/var/lib/grafana(/.*)? gen_context(system_u:object_r:grafana_var_lib_t,s0)
|
||||
#/var/lib/grafana/grafana.db -- gen_context(system_u:object_r:grafana_db_t,s0)
|
||||
|
||||
/var/log/grafana(/.*)? gen_context(system_u:object_r:grafana_log_t,s0)
|
||||
|
||||
/var/run/grafana(/.*)? -- gen_context(system_u:object_r:grafana_var_run_t,s0)
|
||||
|
||||
#/var/lib/grafana/plugins(/.*)? gen_context(system_u:object_r:grafana_plugin_t,s0)
|
||||
|
||||
/usr/share/grafana/bin/grafana -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||
/usr/share/grafana/bin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||
/usr/share/grafana/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||
|
||||
#define context for pcp plugin
|
||||
#/usr/share/performancecopilot-pcp-app/datasources/redis/pcp_redis_datasource_(.*) -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
|
||||
/usr/libexec/grafana-pcp/datasources/redis/pcp_redis_datasource_(.*) -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
|
141
SOURCES/grafana.if
Normal file
141
SOURCES/grafana.if
Normal file
@ -0,0 +1,141 @@
|
||||
## <summary>policy for grafana</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute grafana_exec_t in the grafana domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`grafana_domtrans',`
|
||||
gen_require(`
|
||||
type grafana_t, grafana_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, grafana_exec_t, grafana_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to name_connect to grafana port. Default :3000
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`connect_grafana_port',`
|
||||
gen_require(`
|
||||
class tcp_socket name_connect;
|
||||
type grafana_port_t;
|
||||
')
|
||||
|
||||
allow $1 grafana_port_t:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read grafana database.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`grafana_read_db',`
|
||||
gen_require(`
|
||||
type grafana_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
search_dirs_pattern($1, grafana_var_lib_t, grafana_var_lib_t)
|
||||
read_files_pattern($1, grafana_db_t, grafana_db_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute grafana in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`grafana_exec',`
|
||||
gen_require(`
|
||||
type grafana_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, grafana_exec_t)
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute grafana server in the grafana domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`grafana_systemctl',`
|
||||
gen_require(`
|
||||
type grafana_t;
|
||||
type grafana_unit_file_t;
|
||||
')
|
||||
|
||||
systemd_exec_systemctl($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
allow $1 grafana_unit_file_t:file read_file_perms;
|
||||
allow $1 grafana_unit_file_t:service manage_service_perms;
|
||||
|
||||
ps_process_pattern($1, grafana_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an grafana environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`grafana_admin',`
|
||||
gen_require(`
|
||||
type grafana_t;
|
||||
type grafana_unit_file_t;
|
||||
')
|
||||
|
||||
allow $1 grafana_t:process { signal_perms };
|
||||
ps_process_pattern($1, grafana_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 grafana_t:process ptrace;
|
||||
')
|
||||
|
||||
grafana_systemctl($1)
|
||||
admin_pattern($1, grafana_unit_file_t)
|
||||
allow $1 grafana_unit_file_t:service all_service_perms;
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
199
SOURCES/grafana.te
Normal file
199
SOURCES/grafana.te
Normal file
@ -0,0 +1,199 @@
|
||||
policy_module(grafana, 1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
#permissive grafana_t;
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to be used with a reverse proxy
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_reverse_proxy, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to elasticsearch's default tcp port of 9200
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to mysql's default tcp port of 3306
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_mysql_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to postgresql's default tcp port of 5432
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to prometheus' default tcp port of 9090
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
|
||||
|
||||
|
||||
type grafana_t;
|
||||
type grafana_exec_t;
|
||||
init_daemon_domain(grafana_t, grafana_exec_t)
|
||||
init_nnp_daemon_domain(grafana_t)
|
||||
|
||||
type grafana_unit_file_t;
|
||||
systemd_unit_file(grafana_unit_file_t)
|
||||
|
||||
type grafana_conf_t;
|
||||
files_config_file(grafana_conf_t)
|
||||
|
||||
type grafana_db_t;
|
||||
files_config_file(grafana_db_t)
|
||||
|
||||
type grafana_tmp_t;
|
||||
files_tmp_file(grafana_tmp_t)
|
||||
|
||||
type grafana_tmpfs_t;
|
||||
files_tmpfs_file(grafana_tmpfs_t)
|
||||
|
||||
type grafana_log_t;
|
||||
logging_log_file(grafana_log_t)
|
||||
|
||||
type grafana_var_run_t;
|
||||
files_pid_file(grafana_var_run_t)
|
||||
|
||||
type grafana_var_lib_t;
|
||||
files_type(grafana_var_lib_t)
|
||||
|
||||
type grafana_port_t;
|
||||
corenet_port(grafana_port_t)
|
||||
|
||||
type grafana_pcp_exec_t;
|
||||
corecmd_executable_file(grafana_pcp_exec_t)
|
||||
can_exec(grafana_t, grafana_pcp_exec_t)
|
||||
|
||||
# Ports 32768-60999 (pcp port is 44322)
|
||||
corenet_tcp_connect_all_ephemeral_ports(grafana_t)
|
||||
grafana_exec(grafana_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# grafana local policy
|
||||
#
|
||||
allow grafana_t self:tcp_socket create_stream_socket_perms;
|
||||
allow grafana_t self:udp_socket create_stream_socket_perms;
|
||||
allow grafana_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
|
||||
|
||||
allow grafana_t self:unix_stream_socket connectto;
|
||||
|
||||
allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type smtp_port_t;
|
||||
class tcp_socket { name_connect };
|
||||
}
|
||||
allow grafana_t smtp_port_t:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type usr_t;
|
||||
class file { execute execute_no_trans };
|
||||
}
|
||||
allow grafana_t usr_t:file { execute execute_no_trans };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type postgresql_t;
|
||||
type postgresql_var_run_t;
|
||||
class unix_stream_socket { connectto };
|
||||
class sock_file { write };
|
||||
}
|
||||
allow grafana_t postgresql_t:unix_stream_socket connectto;
|
||||
allow grafana_t postgresql_var_run_t:sock_file write;
|
||||
')
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||
manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_db_t, grafana_db_t)
|
||||
manage_files_pattern(grafana_t, grafana_db_t, grafana_db_t)
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||
manage_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||
manage_sock_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||
files_tmp_filetrans(grafana_t, grafana_tmp_t, { dir file sock_file })
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
|
||||
manage_files_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
|
||||
fs_tmpfs_filetrans(grafana_t, grafana_tmpfs_t, {dir file})
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_log_t, grafana_log_t)
|
||||
manage_files_pattern(grafana_t, grafana_log_t, grafana_log_t)
|
||||
logging_log_filetrans(grafana_t, grafana_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
|
||||
manage_files_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
|
||||
files_pid_filetrans(grafana_t, grafana_var_run_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||
manage_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||
manage_lnk_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||
files_var_lib_filetrans(grafana_t, grafana_var_lib_t, { dir file })
|
||||
|
||||
|
||||
corenet_tcp_connect_http_port(grafana_t)
|
||||
corenet_tcp_bind_generic_node(grafana_t)
|
||||
|
||||
kernel_dgram_send(grafana_t)
|
||||
kernel_read_net_sysctls(grafana_t)
|
||||
kernel_read_system_state(grafana_t)
|
||||
|
||||
auth_read_passwd(grafana_t)
|
||||
|
||||
dev_read_sysfs(grafana_t)
|
||||
|
||||
sysnet_read_config(grafana_t)
|
||||
|
||||
logging_send_syslog_msg(grafana_t)
|
||||
|
||||
miscfiles_read_generic_certs(grafana_t)
|
||||
|
||||
tunable_policy(`grafana_can_reverse_proxy',`
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
')
|
||||
|
||||
connect_grafana_port(httpd_t) # Reverse proxy support
|
||||
corenet_tcp_connect_http_port(grafana_t)
|
||||
')
|
||||
|
||||
tunable_policy(`grafana_can_tcp_connect_elasticsearch_port',` # Elasticsearch default tcp port 9200
|
||||
corenet_tcp_connect_wap_wsp_port(grafana_t)
|
||||
')
|
||||
|
||||
tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3306
|
||||
corenet_tcp_connect_mysqld_port(grafana_t)
|
||||
')
|
||||
|
||||
tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432
|
||||
corenet_tcp_connect_postgresql_port(grafana_t)
|
||||
')
|
||||
|
||||
tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090
|
||||
corenet_tcp_connect_websm_port(grafana_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_private_tmp(grafana_tmp_t)
|
||||
')
|
@ -21,9 +21,11 @@ end}
|
||||
%global gomodulesmode GO111MODULE=auto
|
||||
%global gotestflags %{gotestflags} -tags=integration
|
||||
|
||||
%global selinux_variants mls targeted
|
||||
|
||||
Name: grafana
|
||||
Version: 9.2.10
|
||||
Release: 4%{?dist}
|
||||
Release: 15%{?dist}
|
||||
Summary: Metrics dashboard and graph editor
|
||||
License: AGPL-3.0-only
|
||||
URL: https://grafana.org
|
||||
@ -58,6 +60,11 @@ Source6: list_bundled_nodejs_packages.py
|
||||
# Source7 contains the script to create the vendor and webpack bundles in a container
|
||||
Source7: create_bundles_in_container.sh
|
||||
|
||||
# Source8 - Source10 contain the grafana-selinux policy
|
||||
Source8: grafana.te
|
||||
Source9: grafana.fc
|
||||
Source10: grafana.if
|
||||
|
||||
# Patches affecting the source tarball
|
||||
Patch1: 0001-update-grafana-cli-script-with-distro-specific-paths.patch
|
||||
Patch2: 0002-add-manpages.patch
|
||||
@ -70,6 +77,7 @@ Patch8: 0008-graphite-functions-xss.patch
|
||||
Patch9: 0009-redact-weak-ciphers.patch
|
||||
Patch10: 0010-skip-tests.patch
|
||||
Patch11: 0011-remove-email-lookup.patch
|
||||
Patch12: 0012-coredump-selinux-error.patch
|
||||
|
||||
# Patches affecting the vendor tarball
|
||||
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
|
||||
@ -81,7 +89,7 @@ ExclusiveArch: %{grafana_arches}
|
||||
|
||||
BuildRequires: systemd
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: golang >= 1.17
|
||||
BuildRequires: golang
|
||||
BuildRequires: go-srpm-macros
|
||||
%if 0%{?rhel} >= 9
|
||||
BuildRequires: go-rpm-macros
|
||||
@ -107,6 +115,14 @@ Requires(pre): shadow-utils
|
||||
BuildRequires: shared-mime-info
|
||||
Requires: shared-mime-info
|
||||
|
||||
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 8
|
||||
# This ensures that the grafana-selinux package and all its dependencies are
|
||||
# not pulled into containers and other systems that do not use SELinux
|
||||
Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-targeted)
|
||||
%else
|
||||
Requires: grafana-selinux = %{version}-%{release}
|
||||
%endif
|
||||
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
Recommends: grafana-pcp
|
||||
%endif
|
||||
@ -708,6 +724,20 @@ Provides: bundled(npm(yaml)) = 1.10.2
|
||||
Grafana is an open source, feature rich metrics dashboard and graph editor for
|
||||
Graphite, InfluxDB & OpenTSDB.
|
||||
|
||||
# SELinux package
|
||||
%package selinux
|
||||
Summary: SELinux policy module supporting grafana
|
||||
BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
|
||||
%if "%{_selinux_policy_version}" != ""
|
||||
Requires: selinux-policy >= %{_selinux_policy_version}
|
||||
%endif
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: selinux-policy-targeted
|
||||
Requires(post): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
|
||||
Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
|
||||
|
||||
%description selinux
|
||||
SELinux policy module supporting grafana
|
||||
|
||||
%prep
|
||||
%setup -q -T -D -b 0
|
||||
@ -719,6 +749,10 @@ rm -r plugins-bundled
|
||||
%setup -q -T -D -b 2
|
||||
%endif
|
||||
|
||||
# SELinux policy
|
||||
mkdir SELinux
|
||||
cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
|
||||
|
||||
%patch -P 1 -p1
|
||||
%patch -P 2 -p1
|
||||
%patch -P 3 -p1
|
||||
@ -730,6 +764,7 @@ rm -r plugins-bundled
|
||||
%patch -P 9 -p1
|
||||
%patch -P 10 -p1
|
||||
%patch -P 11 -p1
|
||||
%patch -P 12 -p1
|
||||
|
||||
%patch -P 1001 -p1
|
||||
%if %{enable_fips_mode}
|
||||
@ -758,6 +793,16 @@ for cmd in grafana-cli grafana-server; do
|
||||
%gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
|
||||
done
|
||||
|
||||
# SELinux policy
|
||||
cd SELinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
|
||||
mv grafana.pp grafana.pp.${selinuxvariant}
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
|
||||
done
|
||||
cd -
|
||||
|
||||
|
||||
%install
|
||||
# dirs, shared files, public html, webpack
|
||||
@ -817,6 +862,16 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \
|
||||
# systemd-sysusers configuration
|
||||
install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
|
||||
# SELinux policy
|
||||
cd SELinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
|
||||
install -p -m 644 grafana.pp.${selinuxvariant} \
|
||||
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp
|
||||
done
|
||||
cd -
|
||||
|
||||
%pre
|
||||
%sysusers_create_compat %{SOURCE3}
|
||||
|
||||
@ -866,12 +921,12 @@ export TZ=GMT
|
||||
# required since RHEL 8.8 to fix the following error:
|
||||
# "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
|
||||
# can be removed in a future Go release
|
||||
export GOEXPERIMENT=boringcrypto
|
||||
%gotest ./pkg/...
|
||||
#export GOEXPERIMENT=boringcrypto
|
||||
#% gotest ./pkg/...
|
||||
|
||||
%if %{enable_fips_mode}
|
||||
OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
|
||||
%endif
|
||||
#%if %{enable_fips_mode}
|
||||
#OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
|
||||
#%endif
|
||||
|
||||
%files
|
||||
# binaries and wrappers
|
||||
@ -919,8 +974,68 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
|
||||
%doc CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md GOVERNANCE.md HALL_OF_FAME.md ISSUE_TRIAGE.md MAINTAINERS.md
|
||||
%doc PLUGIN_DEV.md README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md
|
||||
|
||||
# SELinux policy
|
||||
%post selinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -i \
|
||||
%{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || :
|
||||
done
|
||||
/sbin/restorecon -RvF /usr/sbin/grafana-* &> /dev/null || :
|
||||
/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
|
||||
/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ] ; then
|
||||
/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || :
|
||||
done
|
||||
/sbin/restorecon -RvF /usr/sbin/grafana-* &> /dev/null || :
|
||||
/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
|
||||
fi
|
||||
|
||||
%files selinux
|
||||
%defattr(-,root,root,0755)
|
||||
%doc SELinux/*
|
||||
%{_datadir}/selinux/*/grafana.pp
|
||||
|
||||
%changelog
|
||||
* Wed Jan 31 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-15
|
||||
- Resolves RHEL-23468
|
||||
- Allows for gid to be 0
|
||||
- Allows for postgreSQL datasource in selinux policy
|
||||
|
||||
* Tue Dec 19 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
|
||||
- Fixes postgresql AVC denial
|
||||
- Related RHEL-7505
|
||||
|
||||
* Thu Dec 14 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-13
|
||||
- Resolves RHEL-19296
|
||||
- Fixes coredump issue introduced by selinux
|
||||
- Patches out call to panic when trying to walk "/" directory
|
||||
|
||||
* Thu Nov 30 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
|
||||
- Resolves RHEL-7505
|
||||
- Fixes additional selinux denials found when testing on certain architectures
|
||||
|
||||
* Tue Nov 21 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-11
|
||||
- Resolves RHEL-7505
|
||||
- Fixes selinux denials found when testing on certain architectures
|
||||
|
||||
* Wed Nov 15 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-10
|
||||
- Resolves RHEL-7505
|
||||
- Adds a selinux policy for grafana
|
||||
- Resolves RHEL-12666
|
||||
- fix CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
|
||||
|
||||
* Thu Jul 20 2023 Stan Cox <scox@redhat.com> 9.2.10-5
|
||||
- resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user