From 70a4265fc27cff8ce48fe02fd74c0cedddb3fb96 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 13 Jul 2023 15:41:06 -0500
Subject: [PATCH] Update fapolicy rules

Previously the fapolicy rules only granted the permissions
to a subfolder in Tomcat work directory corresponding to the
default engine and host defined in server.xml, so if the
admin changes the engine or the host the fapolicy rules will
need to be changed as well.

To reduce maintenance, the fapolicy rules have been updated
to grant the permissions to the entire Tomcat work directory
such that the engine or the host can be changed without
having to change the fapolicy rules.

Updating fapolicy rules has to be done during RPM upgrade
since it requires root permissions. The regular PKI server
upgrade scripts run as pkiuser so it can't be used here.

The template for the fapolicy rules has been moved into a
file such that it can be used both during installation and
upgrade.
---
 base/server/etc/fapolicy.rules                |  1 +
 .../deployment/scriptlets/fapolicy_setup.py   | 34 +++++++++++++++----
 pki.spec                                      | 20 +++++++++++
 3 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 base/server/etc/fapolicy.rules

diff --git a/base/server/etc/fapolicy.rules b/base/server/etc/fapolicy.rules
new file mode 100644
index 00000000000..5594c22d53f
--- /dev/null
+++ b/base/server/etc/fapolicy.rules
@@ -0,0 +1 @@
+allow perm=open dir=/usr/lib/jvm/ : dir=[WORK_DIR]/
diff --git a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
index e92d828ca10..398e8414dd2 100644
--- a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
+++ b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
@@ -19,11 +19,14 @@
 #
 
 from __future__ import absolute_import
+import grp
 import logging
 import os
-import shutil
+import pwd
 import subprocess
 
+import pki
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkiscriptlet
@@ -60,12 +63,29 @@ def spawn(self, deployer):
 
         logger.info('Add fapolicy rule for the instance %s',
                     deployer.mdict['pki_instance_name'])
-        with open(fapolicy_rule_file, mode='w', encoding='utf-8') as rules:
-            rules.write('allow perm=open dir=/usr/lib/jvm/ : dir=' +
-                        deployer.mdict['pki_tomcat_work_catalina_host_path'] +
-                        '/\n')
-        shutil.chown(fapolicy_rule_file, user='root', group='fapolicyd')
-        os.chmod(fapolicy_rule_file, 0o644)
+
+        template = os.path.join(
+            pki.server.PKIServer.SHARE_DIR,
+            'server',
+            'etc',
+            'fapolicy.rules')
+
+        params = {
+            'WORK_DIR': self.instance.work_dir
+        }
+
+        uid = pwd.getpwnam('root').pw_uid
+        gid = grp.getgrnam('fapolicyd').gr_gid
+        mode = 0o644
+
+        pki.util.copyfile(
+            template,
+            fapolicy_rule_file,
+            params=params,
+            uid=uid,
+            gid=gid,
+            mode=mode,
+            force=True)
 
         self.restart_fapolicy_daemon()
 
diff --git a/pki.spec b/pki.spec
index e9c3fe4286e..3e4a265e299 100644
--- a/pki.spec
+++ b/pki.spec
@@ -978,6 +978,26 @@ then
     systemctl daemon-reload
 fi
 
+# Update the fapolicy rules for each PKI server instance
+for instance in $(ls /var/lib/pki)
+do
+    target="/etc/fapolicyd/rules.d/61-pki-$instance.rules"
+
+    sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \
+        /usr/share/pki/server/etc/fapolicy.rules \
+        > $target
+
+    chown root:fapolicyd $target
+    chmod 644 $target
+done
+
+# Restart fapolicy daemon if it's active
+status=$(systemctl is-active fapolicyd)
+if [ "$status" = "active" ]
+then
+    systemctl restart fapolicyd
+fi
+
 # with server
 %endif