From Debian package 0.2.20100524-2

Move optional block from apache.te down into kerberos_keytab_template
This ensures that the type httpd_keytab_t is declared in the apache module,
needed for apache.fc
This removes a dependency of apache on kerberos

Index: policy/modules/services/apache.te
===================================================================
--- policy/modules/services/apache.te.orig
+++ policy/modules/services/apache.te
@@ -555,9 +555,7 @@
 	')
 ')
 
-optional_policy(`
 	kerberos_keytab_template(httpd, httpd_t)
-')
 
 optional_policy(`
 	# read munin files
Index: policy/modules/services/kerberos.if
===================================================================
--- policy/modules/services/kerberos.if.orig
+++ policy/modules/services/kerberos.if
@@ -237,8 +237,10 @@
 
  	allow $2 $1_keytab_t:file read_file_perms;
 
-	kerberos_read_keytab($2)
-	kerberos_use($2)
+	optional_policy(`
+		kerberos_read_keytab($2)
+		kerberos_use($2)
+	')
 ')
 
 ########################################