diff --git a/cockpit.pam b/cockpit.pam
new file mode 100644
index 0000000..946b745
--- /dev/null
+++ b/cockpit.pam
@@ -0,0 +1,16 @@
+#%PAM-1.0
+auth            required     pam_sepermit.so
+auth            substack     password-auth
+auth            include      postlogin
+account         required     pam_nologin.so
+account         include      password-auth
+password        include      password-auth
+# pam_selinux.so close should be the first session rule
+session         required     pam_selinux.so close
+session         required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session         required     pam_selinux.so open env_params
+session         optional     pam_keyinit.so force revoke
+session         include      password-auth
+session         include      postlogin
+