diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index f6a54b3d..6118ed91 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,5 +1,78 @@
 ## <summary>Common policy for authentication and user login.</summary>
 
+#######################################
+## <summary>
+##	Common template to create a domain for authentication.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to authenticate users by using PAM unix_chkpwd support.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+#
+template(`authlogin_common_auth_domain_template',`
+	gen_require(`
+		attribute can_read_shadow_passwords;
+		type chkpwd_exec_t, shadow_t;
+	')
+
+	type $1_chkpwd_t, can_read_shadow_passwords;
+	domain_type($1_chkpwd_t)
+	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
+
+	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
+	allow $1_chkpwd_t self:process getattr;
+
+	files_list_etc($1_chkpwd_t)
+	allow $1_chkpwd_t shadow_t:file { getattr read };
+
+	# is_selinux_enabled
+	kernel_read_system_state($1_chkpwd_t)
+
+	dev_read_rand($1_chkpwd_t)
+	dev_read_urand($1_chkpwd_t)
+
+	fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
+
+	libs_use_ld_so($1_chkpwd_t)
+	libs_use_shared_libs($1_chkpwd_t)
+
+	files_read_etc_files($1_chkpwd_t)
+	# for nscd
+	files_dontaudit_search_var($1_chkpwd_t)
+
+	logging_send_syslog_msg($1_chkpwd_t)
+
+	miscfiles_read_certs($1_chkpwd_t)
+	miscfiles_read_localization($1_chkpwd_t)
+
+	seutil_read_config($1_chkpwd_t)
+
+	sysnet_dns_name_resolve($1_chkpwd_t)
+	sysnet_use_ldap($1_chkpwd_t)
+
+	optional_policy(`kerberos',`
+		kerberos_use($1_chkpwd_t)
+	')
+
+	optional_policy(`nis',`
+		nis_use_ypbind($1_chkpwd_t)
+	')
+
+	optional_policy(`nscd',`
+		nscd_use_socket($1_chkpwd_t)
+	')
+
+	optional_policy(`samba',`
+		samba_connect_winbind($1_chkpwd_t)
+	')
+')
+
 #######################################
 ## <summary>
 ##	The per user domain template for the authlogin module.
@@ -29,87 +102,33 @@
 ## </param>
 #
 template(`authlogin_per_userdomain_template',`
+
 	gen_require(`
-		attribute can_read_shadow_passwords;
-		type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+		type system_chkpwd_t, shadow_t;
 	')
 
-	type $1_chkpwd_t, can_read_shadow_passwords;
-	domain_type($1_chkpwd_t)
-	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
+	authlogin_common_auth_domain_template($1)
+
 	role $3 types $1_chkpwd_t;
 	role $3 types system_chkpwd_t;
 
-	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
-	allow $1_chkpwd_t self:process getattr;
-
-	files_list_etc($1_chkpwd_t)
-	allow $1_chkpwd_t shadow_t:file { getattr read };
-
 	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
+	dontaudit $2 shadow_t:file { getattr read };
+
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
 	allow $1_chkpwd_t $2:fd use;
 	allow $2 $1_chkpwd_t:fd use;
 	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
 	allow $1_chkpwd_t $2:process sigchld;
 
-	dontaudit $2 shadow_t:file { getattr read };
-
-	# is_selinux_enabled
-	kernel_read_system_state($1_chkpwd_t)
-
-	dev_read_rand($1_chkpwd_t)
-	dev_read_urand($1_chkpwd_t)
-
-	fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
-
 	domain_use_wide_inherit_fd($1_chkpwd_t)
 
-	libs_use_ld_so($1_chkpwd_t)
-	libs_use_shared_libs($1_chkpwd_t)
-
-	files_read_etc_files($1_chkpwd_t)
-	# for nscd
-	files_dontaudit_search_var($1_chkpwd_t)
-
-	logging_send_syslog_msg($1_chkpwd_t)
-
-	miscfiles_read_certs($1_chkpwd_t)
-	miscfiles_read_localization($1_chkpwd_t)
-
-	seutil_read_config($1_chkpwd_t)
-
-	sysnet_dns_name_resolve($1_chkpwd_t)
-	sysnet_use_ldap($1_chkpwd_t)
+	seutil_use_newrole_fd($1_chkpwd_t)
 
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_chkpwd_t)
-
-	# Inherit and use descriptors from gnome-pty-helper.
-	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
-	optional_policy(`kerberos',`
-		kerberos_use($1_chkpwd_t)
-	')
-
-	optional_policy(`nis',`
-		nis_use_ypbind($1_chkpwd_t)
-	')
-
-	optional_policy(`nscd',`
-		nscd_use_socket($1_chkpwd_t)
-	')
-
-	optional_policy(`samba',`
-		samba_connect_winbind($1_chkpwd_t)
-	')
-
-	optional_policy(`selinuxutil',`
-		seutil_use_newrole_fd($1_chkpwd_t)
-	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 157b8d4a..fc2dd877 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.0.2)
+policy_module(authlogin,1.0.3)
 
 ########################################
 #
@@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
-type system_chkpwd_t, can_read_shadow_passwords;
-domain_type(system_chkpwd_t)
-domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
+authlogin_common_auth_domain_template(system)
 role system_r types system_chkpwd_t;
 
 type utempter_t;
@@ -263,62 +261,19 @@ ifdef(`xdm.te', `
 # System check password local policy
 #
 
-allow system_chkpwd_t self:capability setuid;
-allow system_chkpwd_t self:process getattr;
 allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow system_chkpwd_t shadow_t:file { getattr read };
 
-# is_selinux_enabled
-kernel_read_system_state(system_chkpwd_t)
-
-dev_read_rand(system_chkpwd_t)
-dev_read_urand(system_chkpwd_t)
-
-fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_tty(system_chkpwd_t)
-term_dontaudit_use_generic_pty(system_chkpwd_t)
-
 corecmd_search_sbin(system_chkpwd_t)
 
 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
 
-files_read_etc_files(system_chkpwd_t)
-# for nscd
-files_dontaudit_search_var(system_chkpwd_t)
-
-libs_use_ld_so(system_chkpwd_t)
-libs_use_shared_libs(system_chkpwd_t)
-
-logging_send_syslog_msg(system_chkpwd_t)
-
-miscfiles_read_localization(system_chkpwd_t)
-miscfiles_read_certs(system_chkpwd_t)
-
-seutil_read_config(system_chkpwd_t)
-
-sysnet_dns_name_resolve(system_chkpwd_t)
-sysnet_use_ldap(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_generic_pty(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
 
-optional_policy(`kerberos',`
-	kerberos_use(system_chkpwd_t)
-')
-
-optional_policy(`nis',`
-	nis_use_ypbind(system_chkpwd_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(system_chkpwd_t)
-')
-
-optional_policy(`samba',`
-	samba_connect_winbind(system_chkpwd_t)
-')
-
 ########################################
 #
 # Utempter local policy