Update fapolicy rules

Previously the fapolicy rules only granted the permissions to a subfolder in Tomcat work directory corresponding to the default engine and host defined in server.xml, so if the admin changes the engine or the host the fapolicy rules will need to be changed as well. To reduce maintenance, the fapolicy rules have been updated to grant the permissions to the entire Tomcat work directory such that the engine or the host can be changed without having to change the fapolicy rules. Updating fapolicy rules has to be done during RPM upgrade since it requires root permissions. The regular PKI server upgrade scripts run as pkiuser so it can't be used here. The template for the fapolicy rules has been moved into a file such that it can be used both during installation and upgrade.
dogtagpki · Jul 14, 2023 · 70a4265 · 70a4265
1 parent 3a611ff
commit 70a4265
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 7 deletions.
diff --git a/base/server/etc/fapolicy.rules b/base/server/etc/fapolicy.rules
@@ -0,0 +1 @@
+allow perm=open dir=/usr/lib/jvm/ : dir=[WORK_DIR]/
diff --git a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
@@ -19,11 +19,14 @@
 #
 
 from __future__ import absolute_import
+import grp
 import logging
 import os
-import shutil
+import pwd
 import subprocess
 
+import pki
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkiscriptlet
@@ -60,12 +63,29 @@ def spawn(self, deployer):
 
         logger.info('Add fapolicy rule for the instance %s',
                     deployer.mdict['pki_instance_name'])
-        with open(fapolicy_rule_file, mode='w', encoding='utf-8') as rules:
-            rules.write('allow perm=open dir=/usr/lib/jvm/ : dir=' +
-                        deployer.mdict['pki_tomcat_work_catalina_host_path'] +
-                        '/\n')
-        shutil.chown(fapolicy_rule_file, user='root', group='fapolicyd')
-        os.chmod(fapolicy_rule_file, 0o644)
+
+        template = os.path.join(
+            pki.server.PKIServer.SHARE_DIR,
+            'server',
+            'etc',
+            'fapolicy.rules')
+
+        params = {
+            'WORK_DIR': self.instance.work_dir
+        }
+
+        uid = pwd.getpwnam('root').pw_uid
+        gid = grp.getgrnam('fapolicyd').gr_gid
+        mode = 0o644
+
+        pki.util.copyfile(
+            template,
+            fapolicy_rule_file,
+            params=params,
+            uid=uid,
+            gid=gid,
+            mode=mode,
+            force=True)
 
         self.restart_fapolicy_daemon()
 

diff --git a/pki.spec b/pki.spec
@@ -978,6 +978,26 @@ then
     systemctl daemon-reload
 fi
 
+# Update the fapolicy rules for each PKI server instance
+for instance in $(ls /var/lib/pki)
+do
+    target="/etc/fapolicyd/rules.d/61-pki-$instance.rules"
+
+    sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \
+        /usr/share/pki/server/etc/fapolicy.rules \
+        > $target
+
+    chown root:fapolicyd $target
+    chmod 644 $target
+done
+
+# Restart fapolicy daemon if it's active
+status=$(systemctl is-active fapolicyd)
+if [ "$status" = "active" ]
+then
+    systemctl restart fapolicyd
+fi
+
 # with server
 %endif