diff --git a/selinux/ipa.if b/selinux/ipa.if
index 783db8b78..8c47e7963 100644
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@@ -328,6 +328,25 @@ interface(`ipa_custodia_domtrans',`
 	domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t)
 ')
 
+######################################
+## <summary>
+##	Execute ipa-pki-retrieve-key in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_pki_retrieve_key_exec',`
+	gen_require(`
+		type ipa_pki_retrieve_key_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ipa_pki_retrieve_key_exec_t)
+')
+
 ######################################
 ## <summary>
 ##	Execute ipa_custodia in the caller domain.