diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd
index 4b7d35c32..7407a9f99 100644
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} {
   include <abstractions/nameservice-strict>
 
   capability audit_write,
+  capability dac_read_search,  # To read shadow with 000 permissions.
 
   network netlink raw,