diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 44b167af43..a05ae8ca37 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -20,3 +20,4 @@
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
/run/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+/run/polkit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 26844e4070..33312e9826 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -15,6 +15,7 @@ init_nnp_daemon_domain(policykit_t)
type policykit_auth_t, policykit_domain;
type policykit_auth_exec_t;
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+init_nnp_daemon_domain(policykit_auth_t)
type policykit_grant_t, policykit_domain;
type policykit_grant_exec_t;
@@ -209,6 +210,7 @@ fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
auth_rw_var_auth(policykit_auth_t)
auth_use_nsswitch(policykit_auth_t)
auth_domtrans_chk_passwd(policykit_auth_t)
+auth_nnp_domtrans_chkpwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index de62df4df2..d195a78fd1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -488,6 +488,23 @@ interface(`auth_domtrans_chkpwd',`
auth_domtrans_upd_passwd($1)
')
+########################################
+##
+## Allow caller to transition to chkpwd_t with NoNewPrivileges
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`auth_nnp_domtrans_chkpwd',`
+ gen_require(`
+ type chkpwd_t;
+ ')
+ allow $1 chkpwd_t:process2 nnp_transition;
+')
+
########################################
##
## Execute chkpwd in the caller domain.