When a particular user tries to login on a particular host, we are seeing an error in the logs, something like this:
(2022-12-15 13:24:51): [selinux_child[1096]] [sss_seuser_exists] (0x0400): seuser exists: no (2022-12-15 13:24:51): [selinux_child[1096]] [seuser_needs_update] (0x0400): The SELinux user does need an update (2022-12-15 13:24:51): [selinux_child[1096]] [libsemanage] (0x0020): Error while reading kernel policy from /etc/selinux/targeted/active/policy.linked. (2022-12-15 13:24:51): [selinux_child[1096]] [main] (0x0020): Cannot set SELinux login context. (2022-12-15 13:24:51): [selinux_child[1096]] [main] (0x0020): selinux_child failed!
The file /etc/selinux/targeted/active/policy.linked existed, but was empty.
Reproducing on a lab machine, deliberately emptying that file, the problem was reproducible - for new users, though not for old users. Presumably, caching at work, somewhere.
Deleting the empty file and then trying again, policy.linked was rebuilt, and then logins started succeeding.
(2022-12-15 15:07:03): [selinux_child[3412]] [main] (0x0400): selinux_child started. (2022-12-15 15:07:03): [selinux_child[3412]] [main] (0x0400): context initialized (2022-12-15 15:07:03): [selinux_child[3412]] [main] (0x0400): performing selinux operations (2022-12-15 15:07:03): [selinux_child[3412]] [sss_seuser_exists] (0x0400): seuser exists: no (2022-12-15 15:07:03): [selinux_child[3412]] [seuser_needs_update] (0x0400): The SELinux user does need an update (2022-12-15 15:07:14): [selinux_child[3412]] [pack_buffer] (0x0400): result [0] (2022-12-15 15:07:14): [selinux_child[3412]] [main] (0x0400): selinux_child completed successfully
I'm hopeful that the same thing will work on the other box - will let you know if it doesn't. :-)