It would be very nice to have some way to set a rule for a "category" or group of services. It is very error-prone to administer the same set of rules for example for ssh, su, login separately and add them to different HBAC rules.
First pass at some schema design: http://freeipa.org/page/PAMServices
master: 58fed697684931e66ed054d0d5899301fd47b04d