http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1 tells people to run the following commands: ~# semanage login -a -s staff_u john ~# restorecon -R -F /home/john That makes sense for the strict policy, where otherwise that Linux user would have user_u SELinux user. However, when using targeted policy, the default SELinux user is unconfined_u, which is obviously unrestricted. Surprisingly (for me), staff_u is actually more restricted than unconfined_u. I can produce a C program demonstrating the issue in more detail (using setcon fails under staff_u but succeeds with unconfined_u), but hopefully the above is convincing enough. Please let me know if you need more info, I'd be happy to provide it. I'm still learning SELinux, so I'm aware it may be just my newbie mistake.
Fixed in CVS