We need to constrain a tomcat escalated root user from executing "useradd" and "semanage" commands on RHEL6.

Can we add a SELinux constraint policy to achieve  the same?

A tomcat escalated root user (I.e when a "tomcat" user escalates to the "root" user on the system)
 has the following security context

uid=0(root) gid=0(root)
  groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:tomcatd_t:SystemLow-SystemHigh

The logic of this constraint should be be as follows..

If id="root" and source type="tomcatd_t" 

   Then disallow domain transition to both "useradd_exec_t" as well as "semanage_exec_t"

1. Is this something doable through an SELinux constrain policy.
2. If so what should be the syntax of the policy.