SELinux best practices

Is there a "recommended" way to setup access for privileged admin tasks with sudo? In Dominick Grift's blog article http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-ne... the user assigned the webadm_r role gets a sudo access with match "ALL" so in this example you trust SELinux solely to protect the system from unauthorized access. Is this way you would normally do it on a production machine? If you make the sudoers rules more specific for the actual commands the admin user need to run you will gain some initial lock-down from sudo, but at the expense of the sudoers file requiring significantly more maintenance. Administrators generally like scripting to automate task, but by allowing a sub-admin to run a shell with uid=0 we are again left with only SELinux to prevent unauthorized access. Is the general feeling that SELinux in say fedora12 is mature enough so that we can trust that it will protect the system from unauthorized access if we allow sub-administrators to run scripts as uid=0 ? I see that support for capabilities on files has finally found its way into fedora12. It that something that is being used to achieve some sort of middle ground between the two alternatives I listed above? /Leif