Some older versions of SELinux and OpenSSH compiled to support it allow you to log in with an arbitrarily chosen SELinux role. You'll need a valid account, and some fairly undefined conditions, but the attack is:
ssh --l<username>:/<chosen role> <host>Haven't seen a (potential) stuff up like that since the MIT Kerberos telnet daemon flaw (which was significantly worse). I'd like to think that people who've gone to the effort of setting up SELinux also patch regularly. Source, milw0rm.
I am interested in this because it is dreadfully simple, has some weird implications for how SSH and SELinux interact, and there is scant information about this. Maybe a few more eyes can uncover something.
Disclaimer: I haven't tested this. The author only tested it on a limited subset and it didn't work on up-to-date distros.
Update: Explained my motivations and authority (or lack there of) of the exploit thanks to foobar's comments.