Description of problem: pam_unix currently defaults to checking for read access on /etc/shadow and then fails over to using the helper applications. This causes us to have to add dontaudit DOMAIN shadow_t:file r_file_perms lines to every app that uses pam. This prevents us from actually realizing whether a domain is tring to steal the shadow file. Making this change would allow us to remove the dontaudit rule. The code should try to execute the helper apps and if it fails to be able to execute them (File does not exist, file is not executable), failover to using the /etc/shadow.
Fixed in pam-0.99.8.1-7.fc8 I don't try to read /etc/shadow directly when helper fails as the helper is always installed and reading /etc/shadow doesn't make sense. But the helper is executed only when selinux is enabled.