[CentOS] How to prevent root from managing/disabling SELinux

Fri Jan 23 23:01:31 UTC 2015
Stephen Harris <lists at spuddy.org>

At work I'm used to tools like eTrust Access Control (aka SEOS).  eTrust
takes away the ability to manage the eTrust config from root and puts it
in the hands of "security admin".  So there's a good separation of duties;
security admin control the security ruleset, but are limited by the OS
permissions (so even if they granted themselves permission to modify
/etc/shadow, the standard OS permissions would block them) and system admins
control the OS (so they can be root, but can't override eTrust).

Ideally this type of separation would be useful in the SELinux world
as well.  OK, maybe this is a bit of an overkill for my own machines,
but then I do have bastion hosts and internal segmented networking at
home; I do overkill at times :-)

The problem is that I can't see how to prevent this.  There are too many
access points (not just the CLI tools but the pp files and the /sys tree
and I don't know what else).

I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
has security_t so maybe a policy that deny's everyone except a new
security_admin_t permission to modify those files might work?

Has anyone actually attempted this?