So one proposed solution to this is to take away the newrole -l functionality all together and to add Sensitivity selection to the local login. We can implement pam_selinux to ask for the sensitivity level username: dwalsh passwd: ******** Sensitivity: SystemLow If we then remove -l from newrole we are done? Dan