From 941e3db5670133188517f439992cfdf4cc7f4432 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Fri, 10 Sep 2010 18:21:54 +0200
Subject: [PATCH] Access for confined users to oidentd user home content is
 unconditional.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
 policy/modules/roles/staff.te      |  9 +++++----
 policy/modules/roles/unprivuser.te | 10 +++++-----
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0c9876c5..3fed14e4 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -26,6 +26,11 @@ optional_policy(`
 	dbadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	oident_manage_user_content(staff_t)
+	oident_relabel_user_content(staff_t)
+')
+
 optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
@@ -120,10 +125,6 @@ ifndef(`distro_redhat',`
 		mta_role(staff_r, staff_t)
 	')
 
-	optional_policy(`
-		oident_manage_user_content(staff_t)
-		oident_relabel_user_content(staff_t)
-	')
 	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e8a507d9..93b9f7f9 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -16,6 +16,11 @@ optional_policy(`
 	apache_role(user_r, user_t)
 ')
 
+optional_policy(`
+	oident_manage_user_content(user_t)
+	oident_relabel_user_content(user_t)
+')
+
 optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
@@ -93,11 +98,6 @@ ifndef(`distro_redhat',`
 		mta_role(user_r, user_t)
 	')
 
-	optional_policy(`
-		oident_manage_user_content(user_t)
-		oident_relabel_user_content(user_t)
-	')
-
 	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')