diff --git a/base/server/etc/fapolicy.rules b/base/server/etc/fapolicy.rules
new file mode 100644
index 00000000000..5594c22d53f
--- /dev/null
+++ b/base/server/etc/fapolicy.rules
@@ -0,0 +1 @@
+allow perm=open dir=/usr/lib/jvm/ : dir=[WORK_DIR]/
diff --git a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
index e92d828ca10..398e8414dd2 100644
--- a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
+++ b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py
@@ -19,11 +19,14 @@
 #
 
 from __future__ import absolute_import
+import grp
 import logging
 import os
-import shutil
+import pwd
 import subprocess
 
+import pki
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkiscriptlet
@@ -60,12 +63,29 @@ def spawn(self, deployer):
 
         logger.info('Add fapolicy rule for the instance %s',
                     deployer.mdict['pki_instance_name'])
-        with open(fapolicy_rule_file, mode='w', encoding='utf-8') as rules:
-            rules.write('allow perm=open dir=/usr/lib/jvm/ : dir=' +
-                        deployer.mdict['pki_tomcat_work_catalina_host_path'] +
-                        '/\n')
-        shutil.chown(fapolicy_rule_file, user='root', group='fapolicyd')
-        os.chmod(fapolicy_rule_file, 0o644)
+
+        template = os.path.join(
+            pki.server.PKIServer.SHARE_DIR,
+            'server',
+            'etc',
+            'fapolicy.rules')
+
+        params = {
+            'WORK_DIR': self.instance.work_dir
+        }
+
+        uid = pwd.getpwnam('root').pw_uid
+        gid = grp.getgrnam('fapolicyd').gr_gid
+        mode = 0o644
+
+        pki.util.copyfile(
+            template,
+            fapolicy_rule_file,
+            params=params,
+            uid=uid,
+            gid=gid,
+            mode=mode,
+            force=True)
 
         self.restart_fapolicy_daemon()
 
diff --git a/pki.spec b/pki.spec
index e9c3fe4286e..3e4a265e299 100644
--- a/pki.spec
+++ b/pki.spec
@@ -978,6 +978,26 @@ then
     systemctl daemon-reload
 fi
 
+# Update the fapolicy rules for each PKI server instance
+for instance in $(ls /var/lib/pki)
+do
+    target="/etc/fapolicyd/rules.d/61-pki-$instance.rules"
+
+    sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \
+        /usr/share/pki/server/etc/fapolicy.rules \
+        > $target
+
+    chown root:fapolicyd $target
+    chmod 644 $target
+done
+
+# Restart fapolicy daemon if it's active
+status=$(systemctl is-active fapolicyd)
+if [ "$status" = "active" ]
+then
+    systemctl restart fapolicyd
+fi
+
 # with server
 %endif