OK, that means
/{etc,run,run/host,/usr/lib}/userdb/ r,
/{etc,run,run/host,/usr/lib}/userdb/*.user r,
One question before I submit a patch: Are all files in these directories named
*.user, or should reading more (or even all) files in these directories be
allowed?