append only file system - selinux?

[Chris Stankaitis]

here is my issue, for security certification purposes I need to be able 
to create an append only file system for logs, such that no one *even 
root* will be able to futz with the log files on my log server.

my problem is that to the best of my knowledge (and I do hope I am wrong 
and corrected here) this can not be done on the kernel level in 
RHEL/Fedora, I can chattr a log append only but any root user can take 
the flag off, clean up the stuff in the log they don't want seen and 
re-chattr the file.

I know on BSD variants you can set this on an OS level, thus to subvert 
the logs you would need to reboot, change the setting, do your dirty 
work, reboot again turn the setting back etc... basically VERY trackable 
given the fact that the box needs to be rebooted a few time..

I really want to avoid having to run a BSD variant. but if that is what 
I need to do to get the functionality I will.

I am sure that others have come up with this problem with regards to 
security compliance.  what are you guys doing.

If there is no 2.4 kernel solution, is there a 2.6/selinux solution to 
my problem? that would not allow anyone (even root) to do anything but 
append to logs?

Thank you in advance for the advice.