search for: secure_

At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the

...curity_admin_t permission to modify those files might work? > > Has anyone actually attempted this? > You would need to disable the unconfined.pp module and the unconfineduser.pp module and run all of your users as confined user including the admin user as sysadm_t. You could also set the secure_ booleans getsebool -a | grep secure_* secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off