diff --git a/debian/login.pam b/debian/login.pam
index 3226fe2d..553145fa 100644
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -26,9 +26,19 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
 # Sets the loginuid process attribute
 session    required     pam_loginuid.so
 
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
 # SELinux needs to intervene at login time to ensure that the process
 # starts in the proper default security context. Only sessions which are
 # intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 # When the module is present, "required" would be sufficient (When SELinux
 # is disabled, this returns success.)
@@ -71,13 +81,6 @@ session    required   pam_limits.so
 # (Replaces the `LASTLOG_ENAB' option from login.defs)
 session    optional   pam_lastlog.so
 
-# Prints the message of the day upon successful login.
-# (Replaces the `MOTD_FILE' option in login.defs)
-# This includes a dynamically generated part from /run/motd.dynamic
-# and a static (admin-editable) part from /etc/motd.
-session    optional   pam_motd.so motd=/run/motd.dynamic
-session    optional   pam_motd.so noupdate
-
 # Prints the status of the user's mailbox upon successful login
 # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
 #