http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_sysadm.patch sysadm_t needs mls overrides to look at all processes within his range. Dontaudit domains outside his range, so tools like top will work. Allow sysadm to exec all applications and scripts Manage user tmp content connect to syslog Eliminate transitions that redhat does not want.