From Debian policy 0.0.20080702-5

Allow unconfined_r to transition to system_r

Index: policy/users
===================================================================
--- policy/users.orig
+++ policy/users
@@ -29,7 +29,7 @@
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # The following users correspond to Unix identities.
Index: policy/modules/system/unconfined.te
===================================================================
--- policy/modules/system/unconfined.te.orig
+++ policy/modules/system/unconfined.te
@@ -33,6 +33,8 @@
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
+allow unconfined_r system_r;
+
 init_run_daemon(unconfined_t, unconfined_r)
 
 libs_run_ldconfig(unconfined_t, unconfined_r)