Description of problem:

The "unconfined_login" boolean is supposed to "allow users to login as an unconfined domain" (i.e. "unconfined_t").
Turning OFF this boolean doesn't seem to have any effect, at least on sshd:

a user mapped to unconfined_u can still log in:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ssh unconfined@vm-confined8

[unconfined@vm-confined8 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The policy shows the following rules being added when "unconfined_login" is enabled:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -b unconfined_login
allow unconfined_login_domain bin_t:dir { getattr ioctl lock open read search }; [ unconfined_login ]:True
allow unconfined_login_domain bin_t:dir { getattr open search }; [ unconfined_login ]:True
allow unconfined_login_domain bin_t:dir { getattr open search }; [ unconfined_login ]:True
allow unconfined_login_domain bin_t:lnk_file { getattr read }; [ unconfined_login ]:True
allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True
allow unconfined_login_domain unconfined_t:process transition; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:fd use; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:fifo_file { append getattr ioctl lock open read write }; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:process sigchld; [ unconfined_login ]:True

# seinfo -a unconfined_login_domain -x

Type Attributes: 1
   attribute unconfined_login_domain;
    chroot_user_t
    crond_t
    local_login_t
    remote_login_t
    rshd_t
    sshd_t
    sulogin_t
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

From above, I'd expect when boolean is off, that shell services (e.g. sshd) cannot spawn a shell but ... there is an unconditional rule in the policy as well for sshd:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -s sshd_t -t shell_exec_t
[...]
allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read };
allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ ssh_sysadm_login ]:True
allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Stracing sshd with "--secontext" option shows the context change for the sshd user happens without issue:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
39754 [sshd_t] 13:13:41.865154 write(12</proc/39754/task/39754/attr/current> [sshd_t], "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\0", 54) = 54 <0.000142>
39754 [unconfined_t] 13:13:41.865324 close(12</proc/39754/task/39754/attr/current> [unconfined_t]) = 0 <0.000004>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

What's wrong?

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Map a user to "unconfined_u"

  # useradd -Z unconfined_u unconfined
  # echo "pass" | passwd --stdin unconfined

2. Disable the boolean

  # semanage boolean --modify --off unconfined_domain

3. Try ssh'ing

  # ssh unconfined@localhost

Actual results:

Works

Expected results:

Doesn't work