Move program admin template usage out of userdom_admin_user_template() to sysadm policy in userdomain.te to fix usage of the template for third parties.

Changelog

@@ -1,3 +1,6 @@
+- Move program admin template usage out of userdom_admin_user_template() to
+  sysadm policy in userdomain.te to fix usage of the template for third
+  parties.
 - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
   template instead of an interface.
 

policy/modules/system/userdomain.if

@@ -1224,22 +1224,6 @@ template(`userdom_admin_user_template',`
 		fs_read_noxattr_fs_files($1_t)
 	')
 
-	optional_policy(`
-		cron_admin_template($1,$1_t,$1_r)
-	')
-
-	optional_policy(`
-		ethereal_admin_template($1,$1_t,$1_r)
-	')
-
-	optional_policy(`
-		lpr_admin_template($1,$1_t,$1_r)
-	')
-
-	optional_policy(`
-		mta_admin_template($1,$1_t,$1_r)
-	')
-
 	optional_policy(`
 		userhelper_exec($1_t)
 	')

policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.2.0)
+policy_module(userdomain,2.2.1)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -293,6 +293,10 @@ ifdef(`strict_policy',`
 		')
 	')
 
+	optional_policy(`
+		cron_admin_template(sysadm,sysadm_t,sysadm_r)
+	')
+
 	optional_policy(`
 		dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
 		dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
@@ -321,6 +325,7 @@ ifdef(`strict_policy',`
 
 	optional_policy(`
 		ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
+		ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
 	')
 
 	optional_policy(`
@@ -363,6 +368,7 @@ ifdef(`strict_policy',`
 
 	optional_policy(`
 		lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
+		lpr_admin_template(sysadm,sysadm_t,sysadm_r)
 	')
 
 	optional_policy(`
@@ -379,6 +385,10 @@ ifdef(`strict_policy',`
 		mount_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`
+		mta_admin_template(sysadm,sysadm_t,sysadm_r)
+	')
+
 	optional_policy(`
 		mysql_stream_connect(sysadm_t)
 	')