From Debian package 0.2.20100524-5

Add in_unconfined_r interface, for use by Postfix and mono

Index: policy/modules/system/unconfined.if
===================================================================
--- policy/modules/system/unconfined.if.orig
+++ policy/modules/system/unconfined.if
@@ -319,6 +319,37 @@
 
 ########################################
 ## <summary>
+##	Allow a domain to be in role unconfined_r
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to be run in the role unconfined_r
+##	This is suitable for domains that are entered indirectly from
+##	unconfined_t
+##	</p>
+##	<p>
+##	Also allow the domain to send sigchld to unconfined_t and use fds
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to be in unconfined_r
+##	</summary>
+## </param>
+#
+interface(`in_unconfined_r',`
+	gen_require(`
+		type unconfined_t;
+		role unconfined_r;
+	')
+
+	role unconfined_r types $1;
+	allow $1 unconfined_t:process sigchld;
+	allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Inherit file descriptors from the unconfined domain.
 ## </summary>
 ## <param name="domain">
@@ -608,17 +639,17 @@
 
 ########################################
 ## <summary>
-##     Read files in unconfined users home directories.
+##	Read files in unconfined users home directories.
 ## </summary>
 ## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`unconfined_read_home_content_files',`
 	gen_require(`
-	type unconfined_home_dir_t, unconfined_home_t;
+		type unconfined_home_dir_t, unconfined_home_t;
 	')
 
 	files_search_home($1)
@@ -629,21 +660,21 @@
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search the unconfined
-##	users home directory.
+##      Do not audit attempts to search the unconfined
+##      users home directory.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
+##      <summary>
+##      Domain to not audit.
+##      </summary>
 ## </param>
 #
 interface(`unconfined_dontaudit_search_home_dirs',`
-	gen_require(`
-		type unconfined_home_dir_t;
-	')
+        gen_require(`
+                type unconfined_home_dir_t;
+        ')
 
-	dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
+        dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################