#%PAM-1.0
-auth include system-auth
-
+auth required pam_sepermit.so
+auth substack password-auth
+auth include postlogin
account required pam_nologin.so
-account include system-auth
-
-password include system-auth
-
-session include system-auth
+account include password-auth
+password include password-auth
+# pam_selinux.so close should be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session required pam_selinux.so open env_params
+session optional pam_keyinit.so force revoke
+session include password-auth
+session include postlogin