I have been working heavily with the samba team here to get selinux 
policy working well with samba.


Most controversial part is
samba_unconfined_script_exec_t

Which is a directory that administrators can put random scripts into and 
allow samba to execute.