Heres a patch I built in main policy for F15 that removes macros using
except_shadow and replaces them with except_auth_file.
It adds a new attribute declared in authlogin.te called
"authentication_file_type" and a new macro in files.te called
"files_authentication_file" to add the attribute for the file.
shadow_t has an authentication_file_type.
Dont *think* I broke anything with this patch.
My git skills are poor but this diff produces the changes I had made.