So I'm in the process of Upgrading my servers from RHEL5 to RHEL6. On my RHEL5 system I had to build the reference policy from scratch in order to prevent users from being able to transition to init_t through initrc_t. Basically, I want systems that have to be rebooted in order to restart certain services, like auditd, or at least be able to split those duties into different roles. One role can edit a file or install something, but a different role must restart it. Because life the universe and everything goes through initrc_t, just about anything on the system running as root can mess with services. I'd like to highly limit things, and haven't really looked at any new developments in selinux for about 4 years. What's the best way/place to start removing domain transitions and requiring additional roles.
thanks,
-jj-
