Import from AlmaLinux beta

2024-04-30 23:05:11 +03:00 · 2024-04-30 23:05:11 +03:00 · dd9dfb6010
commit dd9dfb6010
parent e1299f47a9
6 changed files with 500 additions and 8 deletions
--- a/SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch
+++ b/SOURCES/0001-update-grafana-cli-script-with-distro-specific-paths.patch
@ -52,7 +52,7 @@ index dafa075a2c..eda358c425 100755
 +                         cfg:default.paths.logs=${LOG_DIR} \
 +                         cfg:default.paths.plugins=${PLUGINS_DIR}")
 +
-+if [ "$(id -u)" -eq 0 ]; then
+if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then
 +  cd "${GRAFANA_HOME}"
 +  exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "${OPTS[@]}" "$@"
 +elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then
--- a/SOURCES/0012-coredump-selinux-error.patch
+++ b/SOURCES/0012-coredump-selinux-error.patch
@ -0,0 +1,13 @@
+diff --git a/pkg/framework/coremodel/helpers.go b/pkg/framework/coremodel/helpers.go
+index 20d111edba..6655f81cee 100644
+--- a/pkg/framework/coremodel/helpers.go
+++ b/pkg/framework/coremodel/helpers.go
+@@ -26,7 +26,7 @@ func init() {
+ 	var err error
+ 	defaultFramework, err = doLoadFrameworkCUE(cuectx.ProvideCUEContext())
+ 	if err != nil {
+-		panic(err)
+//		panic(err)
+ 	}
+ }
+ 
--- a/SOURCES/grafana.fc
+++ b/SOURCES/grafana.fc
@ -0,0 +1,24 @@
+/etc/systemd/system/grafana-server.service		--	gen_context(system_u:object_r:grafana_unit_file_t,s0)
+/usr/lib/systemd/system/grafana-server.service		--	gen_context(system_u:object_r:grafana_unit_file_t,s0)
+
+/etc/grafana(/.*)?						gen_context(system_u:object_r:grafana_conf_t,s0)
+
+/usr/sbin/grafana-cli					--	gen_context(system_u:object_r:grafana_exec_t,s0)
+/usr/sbin/grafana-server				--	gen_context(system_u:object_r:grafana_exec_t,s0)
+
+/var/lib/grafana(/.*)?						gen_context(system_u:object_r:grafana_var_lib_t,s0)
+#/var/lib/grafana/grafana.db				--	gen_context(system_u:object_r:grafana_db_t,s0)
+
+/var/log/grafana(/.*)?						gen_context(system_u:object_r:grafana_log_t,s0)
+
+/var/run/grafana(/.*)?			--	gen_context(system_u:object_r:grafana_var_run_t,s0)
+
+#/var/lib/grafana/plugins(/.*)?					gen_context(system_u:object_r:grafana_plugin_t,s0)
+
+/usr/share/grafana/bin/grafana				--	gen_context(system_u:object_r:grafana_exec_t,s0)
+/usr/share/grafana/bin/grafana-cli			--	gen_context(system_u:object_r:grafana_exec_t,s0)
+/usr/share/grafana/bin/grafana-server			--	gen_context(system_u:object_r:grafana_exec_t,s0)
+
+#define context for pcp plugin
+#/usr/share/performancecopilot-pcp-app/datasources/redis/pcp_redis_datasource_(.*)           -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
+/usr/libexec/grafana-pcp/datasources/redis/pcp_redis_datasource_(.*)           -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
--- a/SOURCES/grafana.if
+++ b/SOURCES/grafana.if
@ -0,0 +1,141 @@
+## <summary>policy for grafana</summary>
+
+########################################
+## <summary>
+##	Execute grafana_exec_t in the grafana domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`grafana_domtrans',`
+	gen_require(`
+		type grafana_t, grafana_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, grafana_exec_t, grafana_t)
+')
+
+########################################
+## <summary>
+##      Allow domain to name_connect to grafana port. Default :3000
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access
+## </summary>
+## </param>
+#
+interface(`connect_grafana_port',`
+        gen_require(`
+		class tcp_socket name_connect;
+                type grafana_port_t;
+        ')
+
+	allow $1 grafana_port_t:tcp_socket name_connect;
+')
+
+#######################################
+## <summary>
+##	Read grafana database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`grafana_read_db',`
+	gen_require(`
+		type grafana_db_t;
+	')
+
+	files_search_var_lib($1)
+	search_dirs_pattern($1, grafana_var_lib_t, grafana_var_lib_t)	
+	read_files_pattern($1, grafana_db_t, grafana_db_t)
+')
+
+######################################
+## <summary>
+##	Execute grafana in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`grafana_exec',`
+	gen_require(`
+		type grafana_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, grafana_exec_t)
+')
+########################################
+## <summary>
+##	Execute grafana server in the grafana domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`grafana_systemctl',`
+	gen_require(`
+		type grafana_t;
+		type grafana_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 grafana_unit_file_t:file read_file_perms;
+	allow $1 grafana_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, grafana_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an grafana environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`grafana_admin',`
+	gen_require(`
+	type grafana_t;
+	type grafana_unit_file_t;
+	')
+
+	allow $1 grafana_t:process { signal_perms };
+	ps_process_pattern($1, grafana_t)
+
+	tunable_policy(`deny_ptrace',`',`
+        	allow $1 grafana_t:process ptrace;
+    	')
+
+	grafana_systemctl($1)
+	admin_pattern($1, grafana_unit_file_t)
+	allow $1 grafana_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/SOURCES/grafana.te
+++ b/SOURCES/grafana.te
@ -0,0 +1,199 @@
+policy_module(grafana, 1.0.4)
+
+########################################
+#
+# Declarations
+#
+#permissive grafana_t;
+
+## <desc>
+## <p>
+## Allow grafana to be used with a reverse proxy
+## </p>
+## </desc>
+gen_tunable(grafana_can_reverse_proxy, false)
+
+## <desc>
+## <p>
+## Allow grafana to connect to elasticsearch's default tcp port of 9200
+## </p>
+## </desc>
+gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
+
+## <desc>
+## <p>
+## Allow grafana to connect to mysql's default tcp port of 3306
+## </p>
+## </desc>
+gen_tunable(grafana_can_tcp_connect_mysql_port, false)
+
+## <desc>
+## <p>
+## Allow grafana to connect to postgresql's default tcp port of 5432
+## </p>
+## </desc>
+gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
+
+## <desc>
+## <p>
+## Allow grafana to connect to prometheus' default tcp port of 9090
+## </p>
+## </desc>
+gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
+
+
+type grafana_t;
+type grafana_exec_t;
+init_daemon_domain(grafana_t, grafana_exec_t)
+init_nnp_daemon_domain(grafana_t)
+
+type grafana_unit_file_t;
+systemd_unit_file(grafana_unit_file_t)
+
+type grafana_conf_t;
+files_config_file(grafana_conf_t)
+
+type grafana_db_t;
+files_config_file(grafana_db_t)
+
+type grafana_tmp_t;
+files_tmp_file(grafana_tmp_t)
+
+type grafana_tmpfs_t;
+files_tmpfs_file(grafana_tmpfs_t)
+
+type grafana_log_t;
+logging_log_file(grafana_log_t)
+
+type grafana_var_run_t;
+files_pid_file(grafana_var_run_t)
+
+type grafana_var_lib_t;
+files_type(grafana_var_lib_t)
+
+type grafana_port_t;
+corenet_port(grafana_port_t)
+
+type grafana_pcp_exec_t;
+corecmd_executable_file(grafana_pcp_exec_t)
+can_exec(grafana_t, grafana_pcp_exec_t)
+
+# Ports 32768-60999 (pcp port is 44322)
+corenet_tcp_connect_all_ephemeral_ports(grafana_t)
+grafana_exec(grafana_t)
+
+########################################
+#
+# grafana local policy
+#
+allow grafana_t self:tcp_socket create_stream_socket_perms;
+allow grafana_t self:udp_socket create_stream_socket_perms;
+allow grafana_t self:unix_dgram_socket create_socket_perms;
+
+allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
+
+allow grafana_t self:unix_stream_socket connectto;
+
+allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
+
+optional_policy(`
+	require {
+		type smtp_port_t;
+		class tcp_socket { name_connect };
+	}
+	allow grafana_t smtp_port_t:tcp_socket name_connect;
+')
+
+optional_policy(`
+	require {
+		type usr_t;
+		class file { execute execute_no_trans };
+	}
+	allow grafana_t usr_t:file { execute execute_no_trans };
+')
+
+optional_policy(`
+	require {
+		type postgresql_t;
+		type postgresql_var_run_t;
+		class unix_stream_socket { connectto };
+		class sock_file { write };
+	}
+	allow grafana_t postgresql_t:unix_stream_socket connectto;
+	allow grafana_t postgresql_var_run_t:sock_file write;
+')
+
+manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
+manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
+
+manage_dirs_pattern(grafana_t, grafana_db_t, grafana_db_t)
+manage_files_pattern(grafana_t, grafana_db_t, grafana_db_t)
+
+manage_dirs_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
+manage_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
+manage_sock_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
+files_tmp_filetrans(grafana_t, grafana_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
+manage_files_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
+fs_tmpfs_filetrans(grafana_t, grafana_tmpfs_t, {dir file})
+
+manage_dirs_pattern(grafana_t, grafana_log_t, grafana_log_t)
+manage_files_pattern(grafana_t, grafana_log_t, grafana_log_t)
+logging_log_filetrans(grafana_t, grafana_log_t, { dir file })
+
+manage_dirs_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
+manage_files_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
+files_pid_filetrans(grafana_t, grafana_var_run_t, { dir file })
+
+manage_dirs_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
+manage_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
+manage_lnk_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
+files_var_lib_filetrans(grafana_t, grafana_var_lib_t, { dir file })
+
+
+corenet_tcp_connect_http_port(grafana_t)
+corenet_tcp_bind_generic_node(grafana_t)
+
+kernel_dgram_send(grafana_t)
+kernel_read_net_sysctls(grafana_t)
+kernel_read_system_state(grafana_t)
+
+auth_read_passwd(grafana_t)
+
+dev_read_sysfs(grafana_t)
+
+sysnet_read_config(grafana_t)
+
+logging_send_syslog_msg(grafana_t)
+
+miscfiles_read_generic_certs(grafana_t)
+
+tunable_policy(`grafana_can_reverse_proxy',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	connect_grafana_port(httpd_t) # Reverse proxy support
+	corenet_tcp_connect_http_port(grafana_t)
+')
+
+tunable_policy(`grafana_can_tcp_connect_elasticsearch_port',` # Elasticsearch default tcp port 9200
+	corenet_tcp_connect_wap_wsp_port(grafana_t)
+')
+
+tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3306
+	corenet_tcp_connect_mysqld_port(grafana_t)
+')
+
+tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432
+	corenet_tcp_connect_postgresql_port(grafana_t)
+')
+
+tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090
+	corenet_tcp_connect_websm_port(grafana_t)
+')
+
+optional_policy(`
+    systemd_private_tmp(grafana_tmp_t)
+')
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -21,9 +21,11 @@ end}
 %global gomodulesmode GO111MODULE=auto
 %global gotestflags   %{gotestflags} -tags=integration

+%global selinux_variants mls targeted
+
 Name:             grafana
 Version:          9.2.10
-Release:          4%{?dist}
+Release:          15%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@ -58,6 +60,11 @@ Source6:          list_bundled_nodejs_packages.py
 # Source7 contains the script to create the vendor and webpack bundles in a container
 Source7:          create_bundles_in_container.sh

+# Source8 - Source10  contain the grafana-selinux policy
+Source8:          grafana.te
+Source9:          grafana.fc
+Source10:         grafana.if
+
 # Patches affecting the source tarball
 Patch1:           0001-update-grafana-cli-script-with-distro-specific-paths.patch
 Patch2:           0002-add-manpages.patch
@ -70,6 +77,7 @@ Patch8:           0008-graphite-functions-xss.patch
 Patch9:           0009-redact-weak-ciphers.patch
 Patch10:          0010-skip-tests.patch
 Patch11:          0011-remove-email-lookup.patch
+Patch12:          0012-coredump-selinux-error.patch

 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -81,7 +89,7 @@ ExclusiveArch:    %{grafana_arches}

 BuildRequires:    systemd
 BuildRequires:    systemd-rpm-macros
-BuildRequires:    golang >= 1.17
+BuildRequires:    golang
 BuildRequires:    go-srpm-macros
 %if 0%{?rhel} >= 9
 BuildRequires:    go-rpm-macros
@ -107,6 +115,14 @@ Requires(pre):    shadow-utils
 BuildRequires:    shared-mime-info
 Requires:         shared-mime-info

+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 8
+# This ensures that the grafana-selinux package and all its dependencies are
+# not pulled into containers and other systems that do not use SELinux
+Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-targeted)
+%else
+Requires: grafana-selinux = %{version}-%{release}
+%endif
+
 %if 0%{?fedora} || 0%{?rhel} > 7
 Recommends: grafana-pcp
 %endif
@ -708,6 +724,20 @@ Provides: bundled(npm(yaml)) = 1.10.2
 Grafana is an open source, feature rich metrics dashboard and graph editor for
 Graphite, InfluxDB & OpenTSDB.

+# SELinux package
+%package selinux
+Summary:        SELinux policy module supporting grafana
+BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
+%if "%{_selinux_policy_version}" != ""
+Requires:       selinux-policy >= %{_selinux_policy_version}
+%endif
+Requires:       %{name} = %{version}-%{release}
+Requires:	selinux-policy-targeted
+Requires(post):   /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
+Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
+
+%description selinux
+SELinux policy module supporting grafana

 %prep
 %setup -q -T -D -b 0
@ -719,6 +749,10 @@ rm -r plugins-bundled
 %setup -q -T -D -b 2
 %endif

+# SELinux policy
+mkdir SELinux
+cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
+
 %patch -P 1 -p1
 %patch -P 2 -p1
 %patch -P 3 -p1
@ -730,6 +764,7 @@ rm -r plugins-bundled
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
+%patch -P 12 -p1

 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -758,6 +793,16 @@ for cmd in grafana-cli grafana-server; do
    %gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
 done

+# SELinux policy
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  mv grafana.pp grafana.pp.${selinuxvariant}
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
+

 %install
 # dirs, shared files, public html, webpack
@ -817,6 +862,16 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \
 # systemd-sysusers configuration
 install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf

+# SELinux policy
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+  install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+  install -p -m 644 grafana.pp.${selinuxvariant} \
+    %{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp
+done
+cd -
+
 %pre
 %sysusers_create_compat %{SOURCE3}

@ -866,12 +921,12 @@ export TZ=GMT
 # required since RHEL 8.8 to fix the following error:
 # "imports crypto/boring: build constraints exclude all Go files in /usr/lib/golang/src/crypto/boring"
 # can be removed in a future Go release
-export GOEXPERIMENT=boringcrypto
-%gotest ./pkg/...
+#export GOEXPERIMENT=boringcrypto
+#% gotest ./pkg/...

-%if %{enable_fips_mode}
-OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
-%endif
+#%if %{enable_fips_mode}
+#OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
+#%endif

 %files
 # binaries and wrappers
@ -919,8 +974,68 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 %doc CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md GOVERNANCE.md HALL_OF_FAME.md ISSUE_TRIAGE.md MAINTAINERS.md
 %doc PLUGIN_DEV.md README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md

+# SELinux policy
+%post selinux
+for selinuxvariant in %{selinux_variants}
+do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || :
+done
+/sbin/restorecon -RvF /usr/sbin/grafana-* &> /dev/null || :
+/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
+/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
+/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
+/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
+/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
+  for selinuxvariant in %{selinux_variants}
+  do
+    /usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || :
+  done
+  /sbin/restorecon -RvF /usr/sbin/grafana-* &> /dev/null || :
+  /sbin/restorecon -RvF /etc/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
+  /sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
+fi
+
+%files selinux
+%defattr(-,root,root,0755)
+%doc SELinux/*
+%{_datadir}/selinux/*/grafana.pp

 %changelog
+* Wed Jan 31 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-15
+- Resolves RHEL-23468
+- Allows for gid to be 0
+- Allows for postgreSQL datasource in selinux policy
+
+* Tue Dec 19 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
+- Fixes postgresql AVC denial
+- Related RHEL-7505
+
+* Thu Dec 14 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-13
+- Resolves RHEL-19296
+- Fixes coredump issue introduced by selinux
+- Patches out call to panic when trying to walk "/" directory
+
+* Thu Nov 30 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
+- Resolves RHEL-7505
+- Fixes additional selinux denials found when testing on certain architectures
+
+* Tue Nov 21 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-11
+- Resolves RHEL-7505
+- Fixes selinux denials found when testing on certain architectures
+
+* Wed Nov 15 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-10
+- Resolves RHEL-7505
+- Adds a selinux policy for grafana
+- Resolves RHEL-12666
+- fix CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
+
 * Thu Jul 20 2023 Stan Cox <scox@redhat.com> 9.2.10-5
 - resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth