I identified my issue, but I have to think for a bit about how I want to solve it permanently. I don't leave shells on accounts that are not intended to have logins. I also don't expect vendors to cater to non-standard configurations which have limited value/interest to the rest of the install base. I'm not going to officially submit that, it's a hack I would not write myself, and vendors should not be fixing something they didn't break. ... but I don't really want to patch every upgrade either. ...I'm kicking around the idea of a runuser proxy, but I'm not sure what I'll end up with yet.
I'm sorry about that SELinux quip, but you hit a soar spot because I'm tired of being lectured about it; if I had $1 for every time....... I have it running on over 30 servers, yet that's everyone's go-to answer, because I'm assumed to be clueless until proven otherwise... you're certainly not the first, and you won't be the last.