From Debian policy 0.0.20080702-4
In russell-20080929.diff
In Manoj's topic-debadim branch
In Russell's 2010-07-08 patch

Allow user domains to read /var/lib/dpkg
Violates encapsulation: should just use 381_dpkg_read_db

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -168,6 +168,8 @@
 
 userdom_use_user_terminals(dpkg_t)
 userdom_use_unpriv_users_fds(dpkg_t)
+allow userdomain dpkg_var_lib_t:dir list_dir_perms;
+allow userdomain dpkg_var_lib_t:file read_file_perms;
 
 # transition to dpkg script:
 dpkg_domtrans_script(dpkg_t)