#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
-auth required pam_unix.so
-account required pam_unix.so
-password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
-password required pam_unix.so md5 shadow use_authtok
-password required pam_exec.so failok seteuid /usr/bin/make -C /var/db
-session required pam_unix.so
+auth include system-auth
+account include system-auth
+password include system-auth
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_listfile.so item=user sense=allow file=/etc/security/chsh.allow onerr=fail
-auth required pam_unix.so
-account required pam_unix.so
-password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
-password required pam_unix.so md5 shadow use_authtok
-password required pam_exec.so failok seteuid /usr/bin/make -C /var/db
-session required pam_unix.so
+auth include system-auth
+account include system-auth
+password include system-auth
#%PAM-1.0
-auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed
auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist.login onerr=succeed
auth required pam_securetty.so
-auth required pam_unix.so
-auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed
-auth required pam_shells.so
-auth required pam_nologin.so
-auth optional pam_mail.so
-account required pam_tally.so file=/var/log/faillog onerr=succeed
+auth include system-auth
+account required pam_shells.so
+account required pam_nologin.so
account required pam_access.so
-account required pam_time.so
-account required pam_unix.so
-password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
-password required pam_unix.so md5 shadow use_authtok
-password required pam_exec.so failok seteuid /usr/bin/make -C /var/db
-session required pam_unix.so
-session required pam_env.so
-session required pam_limits.so change_uid
-#session required pam_selinux.so
+account include system-auth
+password include system-auth
+# pam_selinux.so close should be the first session rule
+# session required pam_selinux.so close
+session include system-auth
session optional pam_console.so
+session optional pam_mail.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+#session required pam_selinux.so open
+#session optional pam_keyinit.so force revoke