From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 4/5] setfacl the db as well

And also get all our "-m [ug]:${name}:$perm" arguments right.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/pesign-authorize-groups | 4 ++++
 src/pesign-authorize-users  | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2222809..13aefa6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
 		setfacl -m g:${group}:rw /var/run/pesign/socket
 	    fi
 	fi
+	if [ -d /etc/pki/pesign ]; then
+	    setfacl -m g:${group}:rx /etc/pki/pesign
+	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+	fi
     done
 fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 22bddec..a43ce44 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -12,10 +12,14 @@
 if [[ -r /etc/pesign/users ]]; then
     for username in $(cat /etc/pesign/users); do
 	if [ -d /var/run/pesign ]; then
-	    setfacl -m g:${username}:rx /var/run/pesign
+	    setfacl -m u:${username}:rx /var/run/pesign
 	    if [ -e /var/run/pesign/socket ]; then
-		setfacl -m g:${username}:rw /var/run/pesign/socket
+		setfacl -m u:${username}:rw /var/run/pesign/socket
 	    fi
 	fi
+	if [ -d /etc/pki/pesign ]; then
+	    setfacl -m u:${username}:rx /etc/pki/pesign
+	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+	fi
     done
 fi
-- 
2.5.0