From aa3ba8daeb63f0c8fd259a1dfbb119eec842c4a1 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Mon, 13 Jan 2025 18:51:04 +0100
Subject: [PATCH] Fix logrotate error

If the log rotate is invoked following a log using slf4j-impl the current
policy denied the accees to the log folder and the rotate fails.

This is always the case with the change to the SessionTimer class.

To solve the problem the policy is updated to grant slf4j-impl
read/write access to log folders.
---
 base/server/share/conf/pki.policy | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
index 97b293fddaf..2ee56223cb4 100644
--- a/base/server/share/conf/pki.policy
+++ b/base/server/share/conf/pki.policy
@@ -26,6 +26,13 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
         permission java.io.FilePermission "${catalina.base}/logs/-", "read,write";
 };
 
+// If log rotate is initiated by a log call using slf4j-impl
+// the library need to have read/write access to log folder or
+// the policy will denied access and the rotation fails
+grant codeBase "file:/usr/share/java/slf4j/-" {
+        permission java.io.FilePermission "${catalina.base}/logs/-", "read,write";
+};
+
 // According to /etc/tomcat/catalina.policy:
 // If using a per instance lib directory, i.e. ${catalina.base}/lib,
 // then the following permission will need to be uncommented
@@ -49,3 +56,4 @@ grant codeBase "file:/usr/share/java/pki/-" {
 grant codeBase "file:${catalina.base}/webapps/-" {
         permission java.security.AllPermission;
 };
+