Are they completely getting rid of /etc/passwd? I don't believe pam_selinux actually looks at the shadow file at all. I believe it takes the user name and figures out the SELinux user from that and chooses the login context properly. I don't see how breaking out shadow would change that. I'll take a look into it. I haven't looked at how either of the projects work yet but my first concern would be that the shadow files just aren't label properly. Any links to the actual projects so I can check them out when I get home?