[rsbac] ssh rc-role

[tazok]

I think your problem is the use of the rc_forced_role on an FD. When
you makes an execute system call on the sshd daemon it gets his
default role from the initial role and when a setuid syscall is made
it takes the value of the rc_forced_role. If you assign one role to
this, it will act as a "wrapper" to all users that make logging into
the system (all of them will run with the same role and the same
privileges). I think your problem comes from here.

Try this: Make a new role, sshd_daemon for example and grant it the
necessary privileges to work. After this, assign the value
role_inherit_mixed_up to the rc_forced_role option. With this (and if
I'm not wrong) after the user logs into the system it will do it with
his/her own privileges. Something like this is which will happen:

sshd(sshd_role) --> login success-->setuid (transition to user_default_role).