UNIX for Advanced & Expert Users

Hey folks,
not sure whether this or the security board is the right forum. If I failed, please move

So here's the problem:
I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.

Any tipps, links, literature, finished programs will be appreciated, thanks

A short idea I had and almost forgot: How difficult is it to change the routine of linux which starts a process in such a way that it will call for every process start a little programm of myself which will then check the program to be executed and - in case of a missing signature - will cancel it?

I don't see any reason to do this.
If you build a system with only the programs that you will allow installed, and then give users restricted shell access only, they can only run programs that you have approved, and have no way to install others.

And the executable bit is insufficient why?

What is wrong with SELINUX, AppArmor, or similar security policy models?

I think this technique has a lot of promise. There are several implementations. Here is one. Google for "linux signed executables only" to see other references.

And those of you who think execution bits or restricted shells provide adequate security might want to take a look.

Not merely execution bits, but file and account control in general...

The point remains the same: We don't know his goals, and he hasn't returned to describe them, so this kind of scheme is likely to be severe overkill.