pam_pwhistory needs to run a helper to save hashes from /etc/shadow to /etc/security/opasswd as these files have shadow_t context. Although current policy allows for passwd command to work with it it would not be possible to change expired passwords with login and other services. The attached patch implements the helper which is called when SELinux is enabled. Please review. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb