diff --git a/Changelog b/Changelog
index 87fd0ff..1bdd76e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Context contains checking for PAM and cron from James Antill.
 - Add a reload target to Modules.devel and change the load
   target to only insert modules that were changed.
 - Allow semanage to read from /root on strict non-MLS for
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 641dcd2..4848d25 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -635,4 +635,5 @@ class key
 class context
 {
 	translate
+	contains
 }
diff --git a/policy/mls b/policy/mls
index 8ab1332..bdca162 100644
--- a/policy/mls
+++ b/policy/mls
@@ -597,4 +597,7 @@ mlsconstrain association { polmatch }
 mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
+mlsconstrain context contains
+	( h1 dom h2 );
+
 ') dnl end enable_mls
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0532edc..c47a891 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -22,6 +22,11 @@
 ## <rolebase/>
 #
 template(`userdom_base_user_template',`
+
+	gen_require(`
+		class context contains;
+	')
+
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -49,6 +54,7 @@ template(`userdom_base_user_template',`
 	allow $1_t self:sem create_sem_perms;
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
+	allow $1_t self:context contains;
 	dontaudit $1_t self:socket create;
 
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7999ffe..865fd42 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.0.2)
+policy_module(userdomain,2.0.3)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;