selinux-base-policy does not include secadm, auditadm, logadm. This is especially problematic because in MLS, sysadm is not allowed to modify the selinux policy. newrole -r secadm_r returns invalid context.