At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the standard OS permissions would block them) and system admins control the OS (so they can be root, but can't override eTrust).
Ideally this type of separation would be useful in the SELinux world as well. OK, maybe this is a bit of an overkill for my own machines, but then I do have bastion hosts and internal segmented networking at home; I do overkill at times :-)
The problem is that I can't see how to prevent this. There are too many access points (not just the CLI tools but the pp files and the /sys tree and I don't know what else).
I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux has security_t so maybe a policy that deny's everyone except a new security_admin_t permission to modify those files might work?
Has anyone actually attempted this?