diff --git a/cjdns.selinux.patch b/cjdns.selinux.patch
index 34680df..65d7f9c 100644
--- a/cjdns.selinux.patch
+++ b/cjdns.selinux.patch
@@ -1,6 +1,6 @@
 diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
---- ./contrib/selinux/cjdns.te.selinux	2015-11-02 17:59:41.000000000 -0500
-+++ ./contrib/selinux/cjdns.te	2015-11-03 00:10:49.098890187 -0500
+--- ./contrib/selinux/cjdns.te.selinux	2018-01-30 19:04:59.000000000 -0500
++++ ./contrib/selinux/cjdns.te	2018-03-05 01:15:40.302169785 -0500
 @@ -7,8 +7,8 @@ require {
  	type port_t;
  	type unreserved_port_t;
@@ -11,11 +11,13 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
  }
  
  type cjdns_t;
-@@ -18,23 +18,23 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
+@@ -17,24 +17,24 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
+ 
  #============= cjdns_t ==============
  # Let master process run further restricted subprocess
- allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
+-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
 -allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
++allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
 +allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
  allow cjdns_t self:process { signal getcap setrlimit setcap };
 -allow cjdns_t kernel_t:system module_request;
diff --git a/cjdns.spec b/cjdns.spec
index 282d97b..a3872fc 100644
--- a/cjdns.spec
+++ b/cjdns.spec
@@ -2,9 +2,11 @@
 # Fedora review: http://bugzilla.redhat.com/1268716
 
 # Option to enable SUBNODE mode (WIP)
-%bcond_without subnode
-# Use the optimized libnacl embedded with cjdns
-%if %{with subnode}
+%bcond_with subnode
+# Option to use the optimized libnacl embedded with cjdns
+%bcond_without embedded
+
+%if %{with subnode} || %{with embedded}
 %global use_embedded 1
 %else
 %global use_embedded 0
@@ -47,7 +49,7 @@
 Name:           cjdns
 # major version is cjdns protocol version:
 Version:        20.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The privacy-friendly network without borders
 Group:          System Environment/Base
 # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
@@ -132,7 +134,7 @@ Provides: bundled(nacl) = 20110221
 ExclusiveArch: %{nodejs_arches}
 %if 0%{use_embedded}
 # The nodejs build system for embedded cnacl has no "plan" for s390x.
-# It might work to copy a plan for another big endian arch like ppc64.
+# It might work to copy another big endian plan like ppc64.
 ExcludeArch: s390x
 %endif
 
@@ -170,7 +172,7 @@ sessionStats       show current crypto sessions
 %package -n python2-cjdns
 %{?python_provide:%python_provide python2-cjdns}
 # Remove before F30
-Provides: %{name}-python%{?_isa} = %{version}-%{release}
+Provides: %{name}-python = %{version}-%{release}
 Obsoletes: %{name}-python < %{version}-%{release}
 Summary: Python tools for cjdns
 Group: System Environment/Base
@@ -544,6 +546,10 @@ fi
 %{_bindir}/graphStats
 
 %changelog
+* Wed Mar  6 2018 Stuart Gathman <stuart@gathman.org> - 20.1-2
+- selinux: Allow map access to cjdns_exec_t
+- disable subnode by default
+
 * Wed Feb 21 2018 Stuart Gathman <stuart@gathman.org> - 20.1-1
 - New upstream release