diff --git a/0001-pam-align-second-and-third-columns.patch b/0001-pam-align-second-and-third-columns.patch
new file mode 100644
index 0000000..8ab341b
--- /dev/null
+++ b/0001-pam-align-second-and-third-columns.patch
@@ -0,0 +1,48 @@
+From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:05:48 +0100
+Subject: [PATCH 1/2] pam: align second and third columns
+
+In our template file, we have jinja2 template markers, so the file
+looks fairly messy. But once it's rendered, it looks pretty clean, except
+that the columns are unaligned becuase of "-" in some lines in the first
+column. Let's make them aligned.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 39bcbd71fe..d5597d28cb 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -4,18 +4,18 @@
+ # Used by systemd --user instances.
+
+ {% if ENABLE_HOMED %}
+--account sufficient pam_systemd_home.so
++-account sufficient pam_systemd_home.so
+ {% endif %}
+-account sufficient pam_unix.so no_pass_expiry
+-account required pam_permit.so
++account sufficient pam_unix.so no_pass_expiry
++account required pam_permit.so
+
+ {% if HAVE_SELINUX %}
+-session required pam_selinux.so close
+-session required pam_selinux.so nottys open
++session required pam_selinux.so close
++session required pam_selinux.so nottys open
+ {% endif %}
+-session required pam_loginuid.so
+-session optional pam_keyinit.so force revoke
++session required pam_loginuid.so
++session optional pam_keyinit.so force revoke
+ {% if ENABLE_HOMED %}
+--session optional pam_systemd_home.so
++-session optional pam_systemd_home.so
+ {% endif %}
+-session optional pam_systemd.so
++session optional pam_systemd.so
+--
+2.38.1
+
diff --git a/0002-pam-add-a-call-to-pam_namespace.patch b/0002-pam-add-a-call-to-pam_namespace.patch
new file mode 100644
index 0000000..51564d9
--- /dev/null
+++ b/0002-pam-add-a-call-to-pam_namespace.patch
@@ -0,0 +1,41 @@
+From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:09:56 +0100
+Subject: [PATCH 2/2] pam: add a call to pam_namespace
+
+A call to pam_namespace is required so that children of user@.service end up in
+a namespace as expected. pam_namespace gets called as part of the stack that
+creates a session (login, sshd, gdm, etc.) and those processes end up in a
+namespace, but it also needs to be called from our stack which is parallel and
+descends from pid1 itself.
+
+The call to pam_namespace is similar to the call to pam_keyinit that was added
+in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
+creates a new session which is disconnected from the parent environment. Both
+calls are not suitable for inclusion in the shared part of the stack (e.g.
+@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
+should not include them.
+
+Fixes #17043 (Allow to execute user service into dedicated namespace
+ if pam_namespace enabled)
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
+(Polyinstantiation is ignored/bypassed in GNOME sessions)
+---
+ src/login/systemd-user.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index d5597d28cb..06f7e36458 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -15,6 +15,7 @@ session required pam_selinux.so nottys open
+ {% endif %}
+ session required pam_loginuid.so
+ session optional pam_keyinit.so force revoke
++session required pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session optional pam_systemd_home.so
+ {% endif %}
+--
+2.38.1
+
diff --git a/0003-pam-actually-align-the-columns.patch b/0003-pam-actually-align-the-columns.patch
new file mode 100644
index 0000000..da4fcf2
--- /dev/null
+++ b/0003-pam-actually-align-the-columns.patch
@@ -0,0 +1,47 @@
+From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:23:31 +0100
+Subject: [PATCH 3/4] pam: actually align the columns
+
+In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align
+them, but for some reason I just added a second space everywhere.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 06f7e36458..9a665bd959 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -4,19 +4,19 @@
+ # Used by systemd --user instances.
+
+ {% if ENABLE_HOMED %}
+--account sufficient pam_systemd_home.so
++-account sufficient pam_systemd_home.so
+ {% endif %}
+ account sufficient pam_unix.so no_pass_expiry
+-account required pam_permit.so
++account required pam_permit.so
+
+ {% if HAVE_SELINUX %}
+-session required pam_selinux.so close
+-session required pam_selinux.so nottys open
++session required pam_selinux.so close
++session required pam_selinux.so nottys open
+ {% endif %}
+-session required pam_loginuid.so
+-session optional pam_keyinit.so force revoke
+-session required pam_namespace.so
++session required pam_loginuid.so
++session optional pam_keyinit.so force revoke
++session required pam_namespace.so
+ {% if ENABLE_HOMED %}
+--session optional pam_systemd_home.so
++-session optional pam_systemd_home.so
+ {% endif %}
+-session optional pam_systemd.so
++session optional pam_systemd.so
+--
+2.38.1
+
diff --git a/fedora-use-system-auth-in-pam-systemd-user.patch b/fedora-use-system-auth-in-pam-systemd-user.patch
new file mode 100644
index 0000000..3b7c10d
--- /dev/null
+++ b/fedora-use-system-auth-in-pam-systemd-user.patch
@@ -0,0 +1,31 @@
+From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:24:53 +0100
+Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user
+
+---
+ src/login/systemd-user.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 9a665bd959..703a4b3174 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -7,7 +7,7 @@
+ -account sufficient pam_systemd_home.so
+ {% endif %}
+ account sufficient pam_unix.so no_pass_expiry
+-account required pam_permit.so
++account include system-auth
+
+ {% if HAVE_SELINUX %}
+ session required pam_selinux.so close
+@@ -19,4 +19,4 @@ session required pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session optional pam_systemd_home.so
+ {% endif %}
+-session optional pam_systemd.so
++session include system-auth
+--
+2.38.1
+
diff --git a/systemd-user b/systemd-user
deleted file mode 100644
index 8ef2c18..0000000
--- a/systemd-user
+++ /dev/null
@@ -1,14 +0,0 @@
-# This file is part of systemd.
-#
-# Used by systemd --user instances.
-
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so no_pass_expiry
-account include system-auth
-
-session required pam_selinux.so close
-session required pam_selinux.so nottys open
-session required pam_loginuid.so
-session required pam_namespace.so
--session optional pam_systemd_home.so
-session include system-auth
diff --git a/systemd.spec b/systemd.spec
index 306c90b..f531c1c 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -89,11 +89,17 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# than in the next section. Packit CI will drop any patches in this range before
# applying upstream pull requests.
+Patch0001: 0001-pam-align-second-and-third-columns.patch
+Patch0002: 0002-pam-add-a-call-to-pam_namespace.patch
+Patch0003: 0003-pam-actually-align-the-columns.patch
# Those are downstream-only patches, but we don't want them in packit builds:
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828
Patch0490: use-bfq-scheduler.patch
+# Adjust upstream config to use our shared stack
+Patch0491: fedora-use-system-auth-in-pam-systemd-user.patch
+
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1
%endif