> Of course this can be somewhat worked around by adjusting the SELinux policy > (allowing blanket noatsecure permission for init_t and possibly others) or > by pam_limits (for components using PAM).
Correction: pam_limits also usually doesn't help here, as it's often followed by another secureexec (for example when login (local_login_t) executes the shell with transition to unconfined_t). 2T
