diff --git a/roles/base/files/selinux/mapchkpwd.pp b/roles/base/files/selinux/mapchkpwd.pp
new file mode 100644
index 0000000000..09d3ad9432
Binary files /dev/null and b/roles/base/files/selinux/mapchkpwd.pp differ
diff --git a/roles/base/files/selinux/mapchkpwd.te b/roles/base/files/selinux/mapchkpwd.te
new file mode 100644
index 0000000000..c53be11145
--- /dev/null
+++ b/roles/base/files/selinux/mapchkpwd.te
@@ -0,0 +1,11 @@
+
+module mapchkpwd 1.0;
+
+require {
+	type chkpwd_t;
+	type shadow_t;
+	class file map;
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t shadow_t:file map;
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 45f80a8091..c950be9d61 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -334,6 +334,23 @@
   - config
   - rsyslog-audit
 
+# Custom selinux policy to allow unix_chkpwd to map PAM database
+- name: copy over our custom selinux module
+  copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
+  register: selinux_module
+  when: ansible_distribution_major_version|int >= 27
+  tags:
+  - config
+  - selinux
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/mapchkpwd.pp
+  when: selinux_module|changed
+  when: ansible_distribution_major_version|int >= 27
+  tags:
+  - selinux
+  - config
+
 - name: Setup postfix
   import_tasks: postfix.yml