[redhat-lspp] Which role to configure IPSec?

[Joy Latten]

I am running rawhide which I installed on Sept 5,
and it has selinux-policy-mls-2.3.11-1. I logged in 
and did a newrole -r sysadm_r, so my context is 
root:sysadm_r:sysadm_t:SystemLow-SystemHigh. I wasn't
able to configure nor run IPSec in enforcing.

I am wondering is sysadm_r the correct role to configure
IPSec? I also am just trying to run plain IPSec, with no
labels, thus it is taking the default of unlabeled_t.

So far, audit.log says I need the following rules to configure
IPSec with the setkey command and then do a ping to test the connection.

allow unlabeled_t self:association { polmatch sendto recvfrom };
allow ping_t unlabeled_t:association polmatch;
allow sysadm_t self:key_socket { create read setopt write };

The first 2 rules appear to be generally applicable.
The first one I added to kernel.te because I didn't know where else
to place it. For the second rule, I added "polmatch" to 
kernel_sendrecv_unlabeled_association interface so that other
networking utilities would also acquire the permission. Again,
I don't really know if this is the best place to put it.
But the last one is particular to sysadm_t or whoever runs
the setkey command which is used to configure IPSec. I also
tried secadm_r and got similar complaints.

I guess what I would like to know is whether sysadm_r the correct role
to configure ipsec? 

Regards,
Joy