diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7e71118c9f..30b3061c41 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -334,6 +334,7 @@ term_use_all_ttys(passwd_t)
 term_use_all_ptys(passwd_t)
 
 auth_run_chk_passwd(passwd_t, passwd_roles)
+auth_run_upd_passwd(passwd_t, passwd_roles)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 50efcff7bf..4b5a72bc85 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -4,6 +4,8 @@
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/tcb(/.*)?		--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/security/opasswd		--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/security/opasswd\.old	--	gen_context(system_u:object_r:shadow_t,s0)
 
 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
 /usr/bin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
@@ -24,6 +26,7 @@
 
 /usr/sbin/pam_console_apply	--	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /usr/sbin/pam_timestamp_check	--	gen_context(system_u:object_r:pam_exec_t,s0)
+/usr/sbin/pwhistory_helper	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /usr/sbin/tcb_convert		--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /usr/sbin/tcb_unconvert		--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /usr/sbin/unix_chkpwd		--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index ab15b40d67..a62f993f06 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -391,6 +391,7 @@ files_manage_etc_files(updpwd_t)
 term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
 
+auth_etc_filetrans_shadow(updpwd_t)
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)