diff --git a/Changelog b/Changelog
index 7f98985..acaf378 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Cracklib update on Deban from Vaclav Ovsik.
 - Label /proc/kallsyms with system_map_t.
 - 64-bit capabilities from Stephen Smalley.
 - Labeled networking peer object class updates.
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 8250615..8f163b5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.9.0)
+policy_module(usermanage,1.9.1)
 
 ########################################
 #
@@ -161,6 +161,13 @@ logging_send_syslog_msg(crack_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(crack_t)
 
+ifdef(`distro_debian',`
+	# the package cracklib-runtime on Debian contains a daily maintenance
+	# script /etc/cron.daily/cracklib-runtime, that calls
+	# update-cracklib and that calls crack_mkdict, which is a shell script.
+	corecmd_exec_shell(crack_t)
+')
+
 optional_policy(`
 	cron_system_entry(crack_t,crack_exec_t)
 ')