--- a/data/pam/lightdm
+++ b/data/pam/lightdm
-@@ -1,19 +1,35 @@
+@@ -1,20 +1,35 @@
#%PAM-1.0
# Block login if they are globally disabled
-# Check account is active, change password if required
-account required pam_unix.so
-+auth optional pam_gnome_keyring.so
++-auth optional pam_gnome_keyring.so
-# Allow password to be changed
-password required pam_unix.so
-# Setup session
-session required pam_unix.so
+-session optional pam_systemd.so
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
-+session optional pam_gnome_keyring.so auto_start
++-session optional pam_gnome_keyring.so auto_start
+
+@include common-password
+--- a/data/pam/lightdm-greeter
++++ b/data/pam/lightdm-greeter
+@@ -1,7 +1,7 @@
+ #%PAM-1.0
+
+ # Load environment from /etc/environment and ~/.pam_environment
+-auth required pam_env.so
++auth required pam_env.so envfile=/etc/default/locale
+
+ # Always let the greeter start without authentication
+ auth required pam_permit.so
--- a/data/pam/lightdm-autologin
+++ b/data/pam/lightdm-autologin
-@@ -1,19 +1,35 @@
+@@ -1,20 +1,35 @@
#%PAM-1.0
# Block login if they are globally disabled
-# Setup session
-session required pam_unix.so
+-session optional pam_systemd.so
+@include common-password
---- a/data/pam/lightdm-greeter
-+++ b/data/pam/lightdm-greeter
-@@ -1,7 +1,7 @@
- #%PAM-1.0
-
- # Load environment from /etc/environment and ~/.pam_environment
--auth required pam_env.so
-+auth required pam_env.so envfile=/etc/default/locale
-
- # Always let the greeter start without authentication
- auth required pam_permit.so