From 473937f554363bc64c001d8773c5fe1d83794671 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 13 Jul 2023 15:41:06 -0500 Subject: [PATCH] Update fapolicy rules Previously the fapolicy rules only granted the permissions to a subfolder in Tomcat work directory corresponding to the default engine and host defined in server.xml, so if the admin changes the engine or the host the fapolicy rules will need to be changed as well. To reduce maintenance, the fapolicy rules have been updated to grant the permissions to the entire Tomcat work directory such that the engine or the host can be changed without having to change the fapolicy rules. Updating fapolicy rules has to be done during RPM upgrade since it requires root permissions. The regular PKI server upgrade scripts run as pkiuser so it can't be used here. The template for the fapolicy rules has been moved into a file such that it can be used both during installation and upgrade. --- base/server/etc/fapolicy.rules | 1 + .../deployment/scriptlets/fapolicy_setup.py | 34 +++++++++++++++---- pki.spec | 20 +++++++++++ 3 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 base/server/etc/fapolicy.rules diff --git a/base/server/etc/fapolicy.rules b/base/server/etc/fapolicy.rules new file mode 100644 index 00000000000..5594c22d53f --- /dev/null +++ b/base/server/etc/fapolicy.rules @@ -0,0 +1 @@ +allow perm=open dir=/usr/lib/jvm/ : dir=[WORK_DIR]/ diff --git a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py index e92d828ca10..398e8414dd2 100644 --- a/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py +++ b/base/server/python/pki/server/deployment/scriptlets/fapolicy_setup.py @@ -19,11 +19,14 @@ # from __future__ import absolute_import +import grp import logging import os -import shutil +import pwd import subprocess +import pki + # PKI Deployment Imports from .. import pkiconfig as config from .. import pkiscriptlet @@ -60,12 +63,29 @@ def spawn(self, deployer): logger.info('Add fapolicy rule for the instance %s', deployer.mdict['pki_instance_name']) - with open(fapolicy_rule_file, mode='w', encoding='utf-8') as rules: - rules.write('allow perm=open dir=/usr/lib/jvm/ : dir=' + - deployer.mdict['pki_tomcat_work_catalina_host_path'] + - '/\n') - shutil.chown(fapolicy_rule_file, user='root', group='fapolicyd') - os.chmod(fapolicy_rule_file, 0o644) + + template = os.path.join( + pki.server.PKIServer.SHARE_DIR, + 'server', + 'etc', + 'fapolicy.rules') + + params = { + 'WORK_DIR': self.instance.work_dir + } + + uid = pwd.getpwnam('root').pw_uid + gid = grp.getgrnam('fapolicyd').gr_gid + mode = 0o644 + + pki.util.copyfile( + template, + fapolicy_rule_file, + params=params, + uid=uid, + gid=gid, + mode=mode, + force=True) self.restart_fapolicy_daemon() diff --git a/pki.spec b/pki.spec index e9c3fe4286e..3e4a265e299 100644 --- a/pki.spec +++ b/pki.spec @@ -978,6 +978,26 @@ then systemctl daemon-reload fi +# Update the fapolicy rules for each PKI server instance +for instance in $(ls /var/lib/pki) +do + target="/etc/fapolicyd/rules.d/61-pki-$instance.rules" + + sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \ + /usr/share/pki/server/etc/fapolicy.rules \ + > $target + + chown root:fapolicyd $target + chmod 644 $target +done + +# Restart fapolicy daemon if it's active +status=$(systemctl is-active fapolicyd) +if [ "$status" = "active" ] +then + systemctl restart fapolicyd +fi + # with server %endif