Mainly this patch splits secadm_r from sysadm_r.  Still have some 
problems.  (rpm_script_t executing load_policy is failing and I don't 
know why.  No AVC messages)

Add rpm definitions for pub and pirut.

Need to run load_policy from rpm_script in the correct role.  So added 
seutil_run_loadpol to rpm.if

rpm_script wants to output to the terminal.

Mono needs execmem.

Error in the files.if file.

inotify and udev caused audit to go nuts on MLS platform.  Wants to 
search the inotifyfs_t dir

Want to drop sensitivity level on rpm and lvm when run by kernel or 
sysadm_t at SystemHigh.

Add +/dev/xvd for Zen machines

Cups looks like it is probing all ttydevices for serial printers I guess.

Hal wants to communicate with initctl and read utmp

sulogin wants to use a tmpfs_t:chr_file if udev has not started.

Insmod reads /etc/selinux/targeted/contexts/files/media file.

Fix run_init to use netlink_audit_t

Stop auditing denials to execstack.  Too many files ask for it and it 
does not seem to break anything.  Log files are filling up with denials.

On mls machines, secadm can only run SELinux utilities and read the 
auditfiles, and is not allowed to do most of what sysadm_t can.  
Sysadm_t is not allowed to run most  SELinux utilities or read the 
auditfiles.