diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 773a27bd6..e910bc0b7 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -134,6 +134,8 @@ seutil_sigchld_newrole(crond_t)
miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fd(crond_t)
+# Not sure why this is needed
+userdom_list_all_users_home_dir(crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -201,23 +203,6 @@ optional_policy(`udev',`
udev_read_db(crond_t)
')
-ifdef(`TODO',`
-# NB The constraints file has some entries for crond_t, this makes it
-# different from all other domains...
-
-# crond tries to search /root. Not sure why.
-allow crond_t sysadm_home_dir_t:dir r_dir_perms;
-
-ifdef(`apache.te',`
-allow system_crond_t httpd_modules_t:lnk_file read;
-# Needed for certwatch
-can_exec(system_crond_t, httpd_modules_t)
-')
-
-# to search /home
-allow crond_t user_home_dir_type:dir r_dir_perms;
-') dnl endif TODO
-
########################################
#
# System cron process domain
@@ -371,6 +356,11 @@ ifdef(`targeted_policy',`
seutil_read_file_contexts(system_crond_t)
')
+ optional_policy(`apache',`
+ # Needed for certwatch
+ apache_exec_modules(system_crond_t)
+ ')
+
optional_policy(`cyrus',`
cyrus_manage_data(system_crond_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index b66833ef0..7513b2451 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3236,6 +3236,23 @@ interface(`userdom_read_sysadm_home_files',`
allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
')
+########################################
+##
+## List all users home directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_list_all_users_home_dir',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir list_dir_perms;
+')
+
########################################
##
## Search all users home directories.