patch from Serge Hallyn Thu, 09 Feb 2006 13:42:36 -0600, plus fix the rules in the TODO.

refpolicy/policy/modules/services/cron.te

@@ -134,6 +134,8 @@ seutil_sigchld_newrole(crond_t)
 miscfiles_read_localization(crond_t)
 
 userdom_use_unpriv_users_fd(crond_t)
+# Not sure why this is needed
+userdom_list_all_users_home_dir(crond_t)
 
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -201,23 +203,6 @@ optional_policy(`udev',`
 	udev_read_db(crond_t)
 ')
 
-ifdef(`TODO',`
-# NB The constraints file has some entries for crond_t, this makes it
-# different from all other domains...
-
-# crond tries to search /root.  Not sure why.
-allow crond_t sysadm_home_dir_t:dir r_dir_perms;
-
-ifdef(`apache.te',`
-allow system_crond_t httpd_modules_t:lnk_file read;
-# Needed for certwatch
-can_exec(system_crond_t, httpd_modules_t)
-')
-
-# to search /home
-allow crond_t user_home_dir_type:dir r_dir_perms;
-') dnl endif TODO
-
 ########################################
 #
 # System cron process domain
@@ -371,6 +356,11 @@ ifdef(`targeted_policy',`
 		seutil_read_file_contexts(system_crond_t)
 	')
 
+	optional_policy(`apache',`
+		# Needed	 for certwatch
+		apache_exec_modules(system_crond_t)
+	')
+
 	optional_policy(`cyrus',`
 		cyrus_manage_data(system_crond_t)
 	')

refpolicy/policy/modules/system/userdomain.if

@@ -3236,6 +3236,23 @@ interface(`userdom_read_sysadm_home_files',`
 	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
 ')
 
+########################################
+## <summary>
+##	List all users home directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_list_all_users_home_dir',`
+	gen_require(`
+		attribute home_dir_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_dir_type:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search all users home directories.