-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem we are seeing, is people running sshd as unconfined_t, is
failing to log users in as unconfined_t.  The reason is the
get_context_list function is looking for all transitions from
unconfined_t.  Since unconfined_t can execute all domains, the kernel
returns ERANGE error.  Then get_context_list fails over to DEFAULTUSER
(user_u), which is some ancient code used in RHEL4.  Since we introduced
seusers, this code does not make much sense.  unconfined_u is not
allowed to transition to user_u so the code fails.  If we remove this
code it will fail over to FAILSAFE_CONTEXT which I set up as
unconfined_r:unconfined_t

And everything works.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxPLLIACgkQrlYvE4MpobPyEwCff4shFQiYpROAfwtlKbg3I0EP
RH0An3QIg1lQUXcEhjcTjp1WvMRFmFUi
=+s4z
-----END PGP SIGNATURE-----