diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index eb8fe18..6b828eb 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -64,6 +64,7 @@
nessus
nsd
ntop
+ openca
openvpn (Petre Rodan)
perdition
postgrey
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index 7cdaf0b..82e5153 100644
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -37,6 +37,7 @@ ifdef(`distro_suse', `
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 6228049..4d17f49 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -473,6 +473,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
##
## Allow the specified domain to read
+## and write Apache cache files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_rw_cache_files',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:file rw_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to read
## apache configuration files.
##
##
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 8f1bdd5..f012917 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -431,6 +431,13 @@ optional_policy(`
')
optional_policy(`
+ openca_domtrans(httpd_t)
+ openca_signal(httpd_t)
+ openca_sigstop(httpd_t)
+ openca_kill(httpd_t)
+')
+
+optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
')
diff --git a/refpolicy/policy/modules/services/openca.fc b/refpolicy/policy/modules/services/openca.fc
new file mode 100644
index 0000000..dc360b9
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/*.\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/refpolicy/policy/modules/services/openca.if b/refpolicy/policy/modules/services/openca.if
new file mode 100644
index 0000000..d84d2ed
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.if
@@ -0,0 +1,80 @@
+## OpenCA - Open Certificate Authority
+
+########################################
+##
+## Execute the OpenCA program with
+## a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_domtrans',`
+ gen_require(`
+ type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+ ')
+
+ domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
+ allow httpd_t openca_usr_share_t:dir search_dir_perms;
+ files_search_usr(httpd_t)
+
+ allow openca_ca_t $1:fd use;
+ allow openca_ca_t $1:fifo_file rw_file_perms;
+ allow openca_ca_t $1:process sigchld;
+')
+
+########################################
+##
+## Send OpenCA generic signals.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_signal',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process signal;
+')
+
+########################################
+##
+## Send OpenCA stop signals.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_sigstop',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+##
+## Kill OpenCA.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openca_kill',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigkill;
+')
diff --git a/refpolicy/policy/modules/services/openca.te b/refpolicy/policy/modules/services/openca.te
new file mode 100644
index 0000000..04fc293
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.te
@@ -0,0 +1,85 @@
+
+policy_module(openca,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t,openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_type(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file r_file_perms;
+allow openca_ca_t openca_etc_t:dir r_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+allow openca_ca_t openca_etc_writeable_t:file manage_file_perms;
+allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms;
+
+# Allow access to other /var/lib/openca files
+allow openca_ca_t openca_var_lib_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_t:dir manage_dir_perms;
+
+# Allow access to private CA key
+allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms;
+
+# Allow access to other /usr/share/openca files
+allow openca_ca_t openca_usr_share_t:file r_file_perms;
+allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
+allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_use_ld_so(openca_ca_t)
+libs_use_shared_libs(openca_ca_t)
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)