#!/bin/bash

#
# With /run/pesign/socket on tmpfs, a simple way of restoring the
# acls for specific groups is useful
#
#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
#

# License: GPLv2

if [[ -r /etc/pesign/groups ]]; then
    for group in $(cat /etc/pesign/groups); do
	if [ -d /var/run/pesign ]; then
	    setfacl -m g:${group}:rx /var/run/pesign
	    if [ -e /var/run/pesign/socket ]; then
		setfacl -m g:${group}:rw /var/run/pesign/socket
	    fi
	fi
	if [ -d /etc/pki/pesign ]; then
	    setfacl -m g:${group}:rx /etc/pki/pesign
	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
	fi
    done
fi
