Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying. If SELinux is disabled, these fields are ignored.
Without this restriction system users can start processes with
root privileges:
$ sudo -u mail systemd-run --pipe -q id
uid=0(root) gid=0(root) groups=0(root)
In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.
Enable su for users in the qubes group, same as in the Debian
package.
