diff --git a/Changelog b/Changelog
index 440eb51..2e91113 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4be14a3..6c82b49 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -126,6 +126,11 @@ template(`su_restricted_domain_template', `
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -292,6 +297,11 @@ template(`su_role_template',`
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
 		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index ab532d3..97c4c33 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su, 1.9.1)
+policy_module(su, 1.9.2)
 
 ########################################
 #