diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index 9629d3d..fa62787 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',`
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
')
+####################################
+##
+## Execute certmaster in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_exec',`
+ gen_require(`
+ type certmaster_exec_t;
+ ')
+
+ can_exec($1, certmaster_exec_t)
+ corecmd_search_bin($1)
+')
+
#######################################
##
## read certmaster logs.
@@ -79,7 +98,7 @@ interface(`certmaster_manage_log',`
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an snort environment
##
##