login default ... changed?

[Gene Czarcinski]

Now things related to selinux, policy, etc. have been changing so radidly that 
my memory may be incorrect.

IIRC, it used to be that if I logged in from gdm as a sysadm_r user (staff_r 
and sysadm_r) as defined in users, I would be logged in with sysadm_r.  This 
appears to have changed (or my memory is faulty).  The default for a sysadm_r 
user is to get staff_r and must use newrole -r sysadm_r to get that.  Good!  
That is the way I think it should work.

The same is true for root.  As far as selinux is concerned, root is just 
another sysadm_r user and the default role logging in from gdm is staff_r.  
Is this what should be done.  This will certainly be a change for most users. 
When I login as root from gdm, I do not expect that I will be prompted for 
root's password when I invoke system-config-users from the menu.

I also notice that doing an "su -" to root or another sysadm_r user will 
default to sysadm_r role for that user.  if it is from another sysadm_r user, 
then I get a choice of sysadm_r (default) or staff_r.  If it is from a user_r 
user, then no choice, I just get sysadm_r.

Comments??  Is this how things should work??

This is not criticism, just wondering.

Gene