diff --git a/shadow-4.2.1-selinux-perms.patch b/shadow-4.2.1-selinux-perms.patch
index eb18aeb..7e7f70e 100644
--- a/shadow-4.2.1-selinux-perms.patch
+++ b/shadow-4.2.1-selinux-perms.patch
@@ -1,6 +1,6 @@
 diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 --- shadow-4.2.1/src/chgpasswd.c.selinux-perms	2014-03-01 19:59:51.000000000 +0100
-+++ shadow-4.2.1/src/chgpasswd.c	2016-05-26 20:56:56.723676087 +0200
++++ shadow-4.2.1/src/chgpasswd.c	2016-05-30 11:57:53.635841186 +0200
 @@ -39,6 +39,13 @@
  #include <pwd.h>
  #include <stdio.h>
@@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
  /* local function prototypes */
  static void fail_exit (int code);
  static /*@noreturn@*/void usage (int status);
-@@ -300,6 +310,62 @@ static void check_perms (void)
+@@ -300,6 +310,63 @@ static void check_perms (void)
  #endif				/* ACCT_TOOLS_SETUID */
  }
  
@@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
-+		return 0;
++		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
-+	return 0;
++	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
 +    va_end(ap);
 +    return 0;
 +}
@@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
  /*
   * open_files - lock and open the group databases
   */
-@@ -393,6 +459,7 @@ int main (int argc, char **argv)
+@@ -393,6 +460,7 @@ int main (int argc, char **argv)
  
  	const struct group *gr;
  	struct group newgr;
@@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
  	int errors = 0;
  	int line = 0;
  
-@@ -408,8 +475,29 @@ int main (int argc, char **argv)
+@@ -408,8 +476,33 @@ int main (int argc, char **argv)
  
  	OPENLOG ("chgpasswd");
  
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
 +	/*
 +	 * Determine the name of the user that invoked this command. This
 +	 * is really hit or miss because there are so many ways that command
@@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
  #ifdef SHADOWGRP
  	is_shadow_grp = sgr_file_present ();
  #endif
-@@ -536,6 +624,15 @@ int main (int argc, char **argv)
+@@ -536,6 +629,15 @@ int main (int argc, char **argv)
  			newgr.gr_passwd = cp;
  		}
  
@@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
  		 * be written to the group file later, after all the
 diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 --- shadow-4.2.1/src/chpasswd.c.selinux-perms	2014-03-01 19:59:51.000000000 +0100
-+++ shadow-4.2.1/src/chpasswd.c	2016-05-26 20:40:56.190224029 +0200
++++ shadow-4.2.1/src/chpasswd.c	2016-05-30 11:58:23.034484807 +0200
 @@ -39,6 +39,13 @@
  #include <pwd.h>
  #include <stdio.h>
@@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
  #ifdef USE_PAM
  #include "pam_defs.h"
  #endif				/* USE_PAM */
-@@ -297,6 +304,62 @@ static void check_perms (void)
+@@ -297,6 +304,63 @@ static void check_perms (void)
  #endif				/* USE_PAM */
  }
  
@@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
-+		return 0;
++		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
-+	return 0;
++	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
 +    va_end(ap);
 +    return 0;
 +}
@@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
  /*
   * open_files - lock and open the password databases
   */
-@@ -407,6 +470,10 @@ int main (int argc, char **argv)
+@@ -405,8 +469,16 @@ int main (int argc, char **argv)
  
+ 	OPENLOG ("chpasswd");
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
  	check_perms ();
  
 +#ifdef WITH_SELINUX
@@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
  #ifdef USE_PAM
  	if (!use_pam)
  #endif				/* USE_PAM */
-@@ -566,6 +633,11 @@ int main (int argc, char **argv)
+@@ -566,6 +638,11 @@ int main (int argc, char **argv)
  			newpw.pw_passwd = cp;
  		}
  
@@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
  		 * The updated password file entry is then put back and will
  		 * be written to the password file later, after all the
 diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
---- shadow-4.2.1/src/Makefile.am.selinux-perms	2016-05-26 19:02:07.000000000 +0200
-+++ shadow-4.2.1/src/Makefile.am	2016-05-26 20:38:52.738468738 +0200
+--- shadow-4.2.1/src/Makefile.am.selinux-perms	2016-05-27 16:04:00.896475284 +0200
++++ shadow-4.2.1/src/Makefile.am	2016-05-27 16:04:00.899475353 +0200
 @@ -84,9 +84,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
  newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
  newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
@@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
  groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
---- shadow-4.2.1/src/Makefile.in.selinux-perms	2016-05-26 19:02:07.000000000 +0200
-+++ shadow-4.2.1/src/Makefile.in	2016-05-26 20:40:03.547049098 +0200
+--- shadow-4.2.1/src/Makefile.in.selinux-perms	2016-05-27 16:04:00.896475284 +0200
++++ shadow-4.2.1/src/Makefile.in	2016-05-27 16:04:00.899475353 +0200
 @@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
  newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
  newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
diff --git a/shadow-utils.spec b/shadow-utils.spec
index f8fb4aa..3444f5b 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.2.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
+- chpasswd, chgpasswd: open audit when starting
+
 * Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
 - chgpasswd: do not remove it
 - chpasswd, chgpasswd: add selinux_check_access call (#1336902)