diff --git a/linux-pam.yaml b/linux-pam.yaml
index 21bacb9ed6c..04cd6d63e35 100644
--- a/linux-pam.yaml
+++ b/linux-pam.yaml
@@ -1,10 +1,13 @@
 package:
   name: linux-pam
   version: "1.7.1"
-  epoch: 2
+  epoch: 3
   description: Linux PAM (Pluggable Authentication Modules for Linux)
   copyright:
     - license: BSD-3-Clause
+  checks:
+    disabled:
+      - setuidgid
   dependencies:
     runtime:
       - merged-usrsbin
@@ -52,12 +55,16 @@ pipeline:
       done
 
       # make "unix_chkpwd" shadow group and enable g+s
-      chgrp shadow ${{targets.destdir}}/bin/unix_chkpwd \
-        && chmod g+s ${{targets.destdir}}/bin/unix_chkpwd
+      chgrp shadow ${{targets.destdir}}/usr/bin/unix_chkpwd \
+        && chmod g+s ${{targets.destdir}}/usr/bin/unix_chkpwd
 
       # Don't ship /var/run
       rm -r ${{targets.destdir}}/var/run
 
+      # Copy tmpfile template
+      mkdir -p ${{targets.destdir}}/usr/lib/tmpfiles.d/
+      mv pam-faillock.conf ${{targets.destdir}}/usr/lib/tmpfiles.d/
+
 subpackages:
   - name: linux-pam-dev
     pipeline:
diff --git a/linux-pam/pam-faillock.conf b/linux-pam/pam-faillock.conf
new file mode 100644
index 00000000000..617baff7a05
--- /dev/null
+++ b/linux-pam/pam-faillock.conf
@@ -0,0 +1,3 @@
+ # Create faillock directory with correct SELinux context                        
+ d /var/log/faillock 0700 root root - -                                          
+ Z /var/log/faillock - - - - -