diff --git a/ekshell.pamd b/ekshell.pamd
index c2f414c..847ec1b 100644
--- a/ekshell.pamd
+++ b/ekshell.pamd
@@ -6,5 +6,10 @@ auth       required     pam_securetty.so
 auth       required     pam_env.so
 auth       required     pam_rhosts_auth.so
 account    include      system-auth
-session	   optional     pam_keyinit.so    force revoke
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    optional     pam_keyinit.so force revoke
 session    include      system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
+session    required     pam_loginuid.so
+session    required     pam_selinux.so open
diff --git a/gssftp.pamd b/gssftp.pamd
index e161ae6..442dfa7 100644
--- a/gssftp.pamd
+++ b/gssftp.pamd
@@ -4,6 +4,10 @@ auth    required pam_shells.so
 auth    include  system-auth
 account required pam_nologin.so
 account include  system-auth
+# pam_selinux.so close should be the first session rule
+session required pam_selinux.so close
 session optional pam_keyinit.so force revoke
 session include  system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
 session required pam_loginuid.so
+session required pam_selinux.so open
diff --git a/krb5.spec b/krb5.spec
index 40432a8..0526d92 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -210,6 +210,9 @@ installed on systems which are meant provide these services.
 %endif
 
 %changelog
+* Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10
+- make proper use of pam_loginuid and pam_selinux in rshd and ftpd
+
 * Fri Oct 12 2007 Nalin Dahyabhai <nalin@redhat.com>
 - make krb5.conf %%verify(not md5 size mtime) in addition to
   %%config(noreplace), like /etc/nsswitch.conf (#329811)
diff --git a/kshell.pamd b/kshell.pamd
index 168eaeb..016d2a2 100644
--- a/kshell.pamd
+++ b/kshell.pamd
@@ -6,5 +6,10 @@ auth       required     pam_securetty.so
 auth       required     pam_env.so
 auth       required     pam_rhosts_auth.so
 account    include      system-auth
-session	   optional     pam_keyinit.so    force revoke
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    optional     pam_keyinit.so force revoke
 session    include      system-auth
+# pam_selinux.so open should only be called for sessions to be executed in the user context
+session    required     pam_loginuid.so
+session    required     pam_selinux.so open