Michael Decker wrote:
Hi!
I wonder, if I can setup this kind of scenario: An admin has to change e.g. some SELinux policies. But if an admin can change all SELinux policies, he could change his own or others in a way, so he can do anything. So a second admin/user has to allow that action.
Is there a way to setup that?
Thanks...
Not really. If a user can change policy he can pretty much get around controls. You could build constraints into the base policy to prevent him from loading certain kinds of policy, but it would get very complicated.
Dan