[redhat-lspp] First login problem over ssh with polyinstantiated homedirs

[Matt Anderson]

Using the kickstart install to create users and setup /home to be a
polyinstantiated directory we have been seeing a problem.  when first
attempting to login over ssh, after successfully authenticating, the
connection is closed.  When you try again the connection is allowed, but
permission is denied on the user's home directory.

Looking in the audit log and /var/log/secure reveal that pam_namespace
is going though the process of creating the polyinstantiated directory
and that process fails when it attempts to set the label and the DAC
owner/group information.

Adding an allow rule:
allow sshd_t staff_home_t:dir { getattr setattr relabelto };

sshd can then set the label and DAC permissions for the home directory
and both problems above go away.  For staff_r at least, obviously the
above rule needs to be extended for other types.

-matt