Anyway, for now I had to add to my local policy modes:
allow { checkpolicy_t consoletype_t ifconfig_t iptables_t ntpd_t load_policy_t sysadm_mail_t ping_t traceroute_t } staff_devpts_t:chr_file { getattr read write };
allow { locate_t sysadm_mail_t } staff_tmp_t:file { getattr write };
And this is probably still very incomplete.
-- Aleksey Nogin
Home Page: http://nogin.org/ E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal) Office: Jorgensen 70, tel: (626) 395-2907