diff -Nur totpcgi-0.5.5.orig/selinux/totpcgi.te totpcgi-0.5.5/selinux/totpcgi.te
--- totpcgi-0.5.5.orig/selinux/totpcgi.te	2015-08-05 16:17:19.549958405 -0600
+++ totpcgi-0.5.5/selinux/totpcgi.te	2015-08-05 16:17:54.879345935 -0600
@@ -48,19 +48,28 @@
 files_dontaudit_list_tmp(totpcgi_provisioning_script_t)
 
 # This should be upstream, really.
-allow httpd_suexec_t httpd_t:unix_stream_socket { read write };
-#
+optional_policy(`
+    require {
+        type httpd_t;
+        type httpd_suexec_t;
+    }
+    allow httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
 # Allow binding to ldap
 sysnet_dns_name_resolve(totpcgi_script_t)
-miscfiles_read_generic_certs(totpcgi_script_t)
 sysnet_use_ldap(totpcgi_script_t)
 sysnet_dns_name_resolve(totpcgi_provisioning_script_t)
-miscfiles_read_generic_certs(totpcgi_provisioning_script_t)
 sysnet_use_ldap(totpcgi_provisioning_script_t)
 
+miscfiles_read_generic_certs(totpcgi_script_t)
+miscfiles_read_generic_certs(totpcgi_provisioning_script_t)
+
 # Allow connecting to postgresql
-postgresql_tcp_connect(totpcgi_script_t)
-postgresql_stream_connect(totpcgi_script_t)
-postgresql_tcp_connect(totpcgi_provisioning_script_t)
-postgresql_stream_connect(totpcgi_provisioning_script_t)
+optional_policy(`
+    postgresql_tcp_connect(totpcgi_script_t)
+    postgresql_stream_connect(totpcgi_script_t)
+    postgresql_tcp_connect(totpcgi_provisioning_script_t)
+    postgresql_stream_connect(totpcgi_provisioning_script_t)
+')