Description of problem: The role(s) selected for selinux when adding a user for "System Administrator" are not consistent with other stuff. For example, a user defined this way should be able to run up2date with a password prompt for his/her password ... not root's password. I believe the roles that need to be assigned are staff_r sysadm_r
I guess s-c-u is still a "work in progress" since the reason it is not consistent is that it appears that it is not updating the policy.
I just stubbed in the widgets in the hopes that the SELinux handling would be added to libuser in time. It looks like that isn't going to happen, so I'm going to hide those widgets for the time being.
Widgets should be hidden in system-config-users-1.2.12-3 in Rawhide.
I'm not sure using SELinux roles to determine what password is asked for is the right approach. Having tools check for SELinux and act differently has a surprising side-effect -- normally, SELinux acts as additional limits to standard Unix permissions and authorization, but this would make SELinux allow users to do things they couldn't normally. Booting with SE Linux enabled shouldn't give more lenient access rights than having it disabled. Making SELinux go both directions can only lead to confusion, and confusing security policy leads to bad security, no matter how strong the technical implementation. Instead, I humbly suggest that auth-as-self access be implemented via my patch to usermode: bug #86188.