FC5 MLS Policy: auditctl permission denied

Hey Steve, Under the FC5 MLS policy, what is the magic incantation of SELinux role and MLS range that will make auditctl go? I've tried staff_r, with staff_t and SystemLow, which I did not expect to work (and it didn't). I've also tried sysadm_[rt] and secadm_[rt] with both SystemHigh and SystemLow. So far, no combination has lead to auditctl being usable. secadm & sysadm attempts resolve in a direct bash denial message, whereas staff _can_ execute audit, but I get the messages: "Error sending (rule/watch) list request (Permission denied)" Anyone know the magic or is this a policy bug? Thanks, Mike