[CentOS] How to prevent root from managing/disabling SELinux

Mon Jan 26 20:29:23 UTC 2015
Daniel J Walsh <dwalsh at redhat.com>

On 01/23/2015 06:01 PM, Stephen Harris wrote:
> At work I'm used to tools like eTrust Access Control (aka SEOS).  eTrust
> takes away the ability to manage the eTrust config from root and puts it
> in the hands of "security admin".  So there's a good separation of duties;
> security admin control the security ruleset, but are limited by the OS
> permissions (so even if they granted themselves permission to modify
> /etc/shadow, the standard OS permissions would block them) and system admins
> control the OS (so they can be root, but can't override eTrust).
> Ideally this type of separation would be useful in the SELinux world
> as well.  OK, maybe this is a bit of an overkill for my own machines,
> but then I do have bastion hosts and internal segmented networking at
> home; I do overkill at times :-)
> The problem is that I can't see how to prevent this.  There are too many
> access points (not just the CLI tools but the pp files and the /sys tree
> and I don't know what else).
> I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux
> has security_t so maybe a policy that deny's everyone except a new
> security_admin_t permission to modify those files might work?
> Has anyone actually attempted this?
You would need to disable the unconfined.pp module and the
unconfineduser.pp module
and run all of your users as confined user including the admin user as

You could also set the secure_ booleans

 getsebool -a | grep secure_*
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off