require{
    type certmonger_t;
    type pegasus_conf_t;
}
allow certmonger_t pegasus_conf_t:file {
    ioctl read getattr lock open
} ;
# make -f /usr/share/selinux/devel/Makefile mypegasus.pp
# semodule -i mypegasus.pp