diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index ab494a017..114e6236b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,6 +97,8 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0)
+/etc/update-motd\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 4e75b6e11..b7030f728 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -276,6 +276,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
+ auth_use_pam_motd_dynamic(sshd_t)
')
ifdef(`init_systemd',`
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index e22945cd9..4a4ac4613 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -43,6 +43,9 @@ ifdef(`distro_suse', `
/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
+/run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
+/run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
+/run/motd\.dynamic\.new -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index fe9ca3bb9..aaf700f09 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -98,6 +98,32 @@ interface(`auth_use_pam_systemd',`
systemd_dbus_chat_logind($1)
')
+########################################
+##
+## Use the pam module motd with dynamic support during authentication.
+## This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071)
+## and was added to Debian (https://sources.debian.org/src/pam/1.3.1-5/debian/patches-applied/update-motd/)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_use_pam_motd_dynamic',`
+ gen_require(`
+ type pam_motd_runtime_t;
+ ')
+
+ # Allow pam_motd to run /usr/bin/env and /usr/bin/dash to generate
+ # /run/motd.dynamic from motd.dynamic.new.
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ allow $1 pam_motd_runtime_t:file manage_file_perms;
+ files_pid_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new")
+')
+
########################################
##
## Make the specified domain used for a login program.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index a01ad0b4a..f4ade469d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -49,6 +49,9 @@ role system_r types pam_t;
type pam_exec_t;
domain_entry_file(pam_t, pam_exec_t)
+type pam_motd_runtime_t;
+files_pid_file(pam_motd_runtime_t)
+
type pam_tmp_t;
files_tmp_file(pam_tmp_t)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce93a..36b8f4461 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -69,8 +69,6 @@ ifdef(`distro_redhat',`
ifdef(`distro_debian',`
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a56f3d1fb..945dbdf8d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -144,6 +144,10 @@ ifdef(`init_systemd',`
systemd_manage_logind_pid_pipes(local_login_t)
')
+ifdef(`distro_debian',`
+ auth_use_pam_motd_dynamic(local_login_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(local_login_t)