diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index c00dd05f9..32713a77f 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -68,6 +68,8 @@ template(`hadoop_domain_template',`
 	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
 
 	auth_use_nsswitch(hadoop_$1_t)
+	auth_domtrans_chk_passwd(hadoop_$1_t)
+	auth_domtrans_upd_passwd(hadoop_$1_t)
 
 	####################################
 	#
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 6d188933a..186e8b52c 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -216,8 +216,6 @@ dev_read_sysfs(hadoop_domain)
 files_search_runtime(hadoop_domain)
 files_search_var_lib(hadoop_domain)
 
-auth_domtrans_chkpwd(hadoop_domain)
-
 init_read_utmp(hadoop_domain)
 init_use_fds(hadoop_domain)
 init_use_script_fds(hadoop_domain)
diff --git a/policy/modules/services/pwauth.te b/policy/modules/services/pwauth.te
index e7a40019e..26cb28965 100644
--- a/policy/modules/services/pwauth.te
+++ b/policy/modules/services/pwauth.te
@@ -31,7 +31,8 @@ files_runtime_filetrans(pwauth_t, pwauth_runtime_t, file)
 
 domain_use_interactive_fds(pwauth_t)
 
-auth_domtrans_chkpwd(pwauth_t)
+auth_domtrans_chk_passwd(pwauth_t)
+auth_domtrans_upd_passwd(pwauth_t)
 auth_use_nsswitch(pwauth_t)
 
 init_read_utmp(pwauth_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index d6a3d706f..e0289265f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -419,13 +419,9 @@ interface(`auth_domtrans_chk_passwd',`
 ## </param>
 #
 interface(`auth_domtrans_chkpwd',`
-	gen_require(`
-		type chkpwd_t, chkpwd_exec_t, shadow_t;
-	')
+	refpolicywarn(`$0($*) has been deprecated, please use auth_domtrans_chk_passwd($1); auth_domtrans_upd_passwd($1) instead.')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-	dontaudit $1 shadow_t:file { getattr read };
+	auth_domtrans_chk_passwd($1)
 	auth_domtrans_upd_passwd($1)
 ')
 
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index e5730d536..754c9e1c8 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -7,7 +7,7 @@ policy_module(authlogin, 2.18.2)
 
 ## <desc>
 ## <p>
-## Allow PAM usage.  If disabled, /etc/shadow is provided on systems that do not support PAM.
+## Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
 ## </p>
 ## </desc>
 gen_tunable(authlogin_pam, true)