Why might pam not use unix_chkpwd?

I've seen a few reports that proftpd's sftp support isn't working with SELinux in enforcing mode: https://bugzilla.redhat.com/show_bug.cgi?id=1529576 https://github.com/proftpd/proftpd/issues/659 Using strace, it appears that proftpd is rejecting logins after failing to access /etc/shadow, but why would it be doing that at all, rather than using the unix_chkpwd helper? Googling this, the only similar issue I saw was this: http://blog.siphos.be/2014/12/why-does-it-access-etcshadow/ but this seems to be different because ftpd policy does include auth_use_pam. Any thoughts on this? I did try this locally and couldn't reproduce it, so it seems to be configuration/environment-specific rather than something being fundamentally wrong. Paul.