Michael Decker wrote:
I wonder, if I can setup this kind of scenario:
An admin has to change e.g. some SELinux policies. But if an admin can
change all SELinux policies, he could change his own or others in a way,
so he can do anything. So a second admin/user has to allow that action.
Is there a way to setup that?
Not really. If a user can change policy he can pretty much get around
controls. You could
build constraints into the base policy to prevent him from loading
certain kinds of policy, but
it would get very complicated.