diff --git a/Changelog b/Changelog
index ed012d12..ffc191ad 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Handle unix_chkpwd usage by useradd and groupadd.
 - Add missing compatibility aliases for xdm_xserver*_t types.
 
 * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 307cff77..1865872d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage, 1.13.0)
+policy_module(usermanage, 1.13.1)
 
 ########################################
 #
@@ -218,11 +218,14 @@ logging_send_syslog_msg(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
+auth_domtrans_chk_passwd(groupadd_t)
+auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
 auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
-auth_rw_lastlog(groupadd_t)
-auth_use_nsswitch(groupadd_t)
 
 seutil_read_config(groupadd_t)
 
@@ -465,12 +468,15 @@ selinux_compute_user_contexts(useradd_t)
 term_use_all_user_ttys(useradd_t)
 term_use_all_user_ptys(useradd_t)
 
-auth_manage_shadow(useradd_t)
-auth_relabel_shadow(useradd_t)
-auth_etc_filetrans_shadow(useradd_t)
+auth_domtrans_chk_passwd(useradd_t)
 auth_rw_lastlog(useradd_t)
 auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
+auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
+auth_etc_filetrans_shadow(useradd_t)
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)