From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 19 Nov 2015 11:36:59 -0500
Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the
 socket.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/pesign-authorize-groups | 2 ++
 src/pesign-authorize-users  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2236bea 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
     for group in $(cat /etc/pesign/groups); do
         setfacl -m g:${group}:rx /var/run/pesign
         setfacl -m g:${group}:rw /var/run/pesign/socket
+        setfacl -m g:${username}:rx /etc/pki/pesign
+        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
     done
 fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..9c38a25 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
     for username in $(cat /etc/pesign/users); do
         setfacl -m u:${username}:rx /var/run/pesign
         setfacl -m u:${username}:rw /var/run/pesign/socket
+        setfacl -m u:${username}:rx /etc/pki/pesign
+        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
     done
 fi
-- 
2.5.0