diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index d6222a6..cc1501b 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -9,7 +9,7 @@
 define(`authlogin_per_userdomain_template',`
 requires_block_template(`$0'_depend)
 
-type $1_chkpwd_t;     # , nscd_client_domain;
+type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
 domain_make_domain($1_chkpwd_t)
 domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
 role $1_r types $1_chkpwd_t;
@@ -18,67 +18,65 @@ role $1_r types system_chkpwd_t;
 allow $1_chkpwd_t self:capability setuid;
 allow $1_chkpwd_t self:process getattr;
 
-authlogin_read_shadow_passwords($1_chkpwd_t)
-logging_send_system_log_message($1_chkpwd_t)
+# FIXME: read etc_t dir
+allow $1_chkpwd_t shadow_t:file { getattr read };
+
+# is_selinux_enabled
+kernel_read_system_state($1_chkpwd_t)
+
+filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
+
+domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
 
 libraries_use_dynamic_loader($1_chkpwd_t)
 libraries_read_shared_libraries($1_chkpwd_t)
+
 files_read_general_system_config($1_chkpwd_t)
+# for nscd
+files_ignore_search_system_state_data_directory($1_chkpwd_t)
+
+logging_send_system_log_message($1_chkpwd_t)
+
 miscfiles_read_localization($1_chkpwd_t)
+
 selinux_read_config($1_chkpwd_t)
-filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
 
-# is_selinux_enabled
-kernel_read_system_state($1_chkpwd_t)
 #can_ypbind($1_chkpwd_t)
 #can_kerberos($1_chkpwd_t)
 #can_ldap($1_chkpwd_t)
 
-tunable_policy(`use_dns',`
-allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
-corenetwork_network_raw_on_all_interfaces($1_chkpwd_t)
-corenetwork_network_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
-corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
-corenetwork_network_udp_on_dns_port($1_chkpwd_t)
-sysnetwork_read_network_config($1_chkpwd_t)
-') dnl end use_dns
-
-# for nscd
-files_ignore_search_system_state_data_directory($1_chkpwd_t)
-
-# Transition from the user domain to this domain.
-ifelse($1, system, `
-#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms;
-terminal_use_general_physical_terminal($1_chkpwd_t)
-', `
 # Transition from the user domain to this domain.
 allow $1_t chkpwd_exec_t:file { getattr read execute };
 allow $1_t $1_chkpwd_t:process transition;
 type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
 
-#allow $1_t sbin_t:dir search;
-
 # Write to the user domain tty.
 #userdomain_use_$1_terminal($1_chkpwd_t)
 #userdomain_use_$1_pty($1_chkpwd_t)
 
-domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
-
 # Inherit and use descriptors from gnome-pty-helper.
 #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
 
+tunable_policy(`use_dns',`
+allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_raw_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
+corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_udp_on_dns_port($1_chkpwd_t)
+sysnetwork_read_network_config($1_chkpwd_t)
+')
+
 optional_policy(`selinux.te',`
 selinux_newrole_use_file_descriptors($1_chkpwd_t)
 ')
 
-') dnl ifelse system
-
 ') dnl end authlogin_per_userdomain_template
 
 define(`authlogin_per_userdomain_template_depend',`
-type chkpwd_exec_t, system_chkpwd_t;
+attribute can_read_shadow_passwords;
+type chkpwd_exec_t, system_chkpwd_t, shadow_t;
 class file { getattr read execute };
 class process { getattr transition };
 class capability setuid;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 3929d8f..f426e4c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -50,6 +50,11 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+domain_make_domain(system_chkpwd_t)
+domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+role system_r types system_chkpwd_t;
+
 type utempter_t; #, nscd_client_domain;
 domain_make_domain(utempter_t)
 
@@ -224,9 +229,51 @@ allow initrc_t pam_var_console_t:dir r_dir_perms;
 # System check password local policy
 #
 
-authlogin_per_userdomain_template(system)
+allow system_chkpwd_t self:capability setuid;
+allow system_chkpwd_t self:process getattr;
 
-domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+allow system_chkpwd_t shadow_t:file { getattr read };
+
+# is_selinux_enabled
+kernel_read_system_state(system_chkpwd_t)
+
+filesystem_ignore_get_persistent_filesystem_attributes(system_chkpwd_t)
+
+terminal_use_general_physical_terminal(system_chkpwd_t)
+
+files_read_general_system_config(system_chkpwd_t)
+# for nscd
+files_ignore_search_system_state_data_directory(system_chkpwd_t)
+
+libraries_use_dynamic_loader(system_chkpwd_t)
+libraries_read_shared_libraries(system_chkpwd_t)
+
+logging_send_system_log_message(system_chkpwd_t)
+
+miscfiles_read_localization(system_chkpwd_t)
+
+selinux_read_config(system_chkpwd_t)
+
+tunable_policy(`use_dns',`
+allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(system_chkpwd_t)
+corenetwork_network_raw_on_all_interfaces(system_chkpwd_t)
+corenetwork_network_udp_on_all_nodes(system_chkpwd_t)
+corenetwork_network_raw_on_all_nodes(system_chkpwd_t)
+corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
+corenetwork_network_udp_on_dns_port(system_chkpwd_t)
+sysnetwork_read_network_config(system_chkpwd_t)
+')
+
+ifdef(`TODO',`
+# FIXME: read etc_t dir
+
+can_ypbind(system_chkpwd_t)
+can_kerberos(system_chkpwd_t)
+can_ldap(system_chkpwd_t)
+
+dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
+')
 
 ########################################
 #