[lug] [rephrased] SElinux for multiple apache authors

[D. Stimits]

Ok, got no bites on the last question. Let me rephrase, maybe I can get 
advice.

The scenario is you're running linux on CentOS with SElinux selectively 
being enforced, and covering the apache server. You have multiple 
trusted developers. In the past you could do something like set up a 
development group with perms to the tree. With SElinux, there is now the 
added dimension of roles. So you could (maybe) do the following to give 
the developers free access:
1. Give everyone root access (not generally acceptable to work as root 
even if you have the pass though).
2. Somehow enable chcon to work via sudo.
3. Give everyone involved a new role, and merge that role into web 
permissions.
4. Give everyone involved permission to chcon using the httpd context.

Aside from choice 1, is there a choice anyone here would choose? What 
are the administrative trade-offs? Maybe I missed a better choice?

D. Stimits, stimits AT comcast DOT net