Not without a reboot though, and while I haven’t done that, it should be possible to protect selinux ‘s config itself with a policy, requiring boot loader access to bypass, at which point you’re dealing with a different risk level.
I’ll agree that Linux security is quite limited and primitive if compared with, say, a mainframe, but it can be made less bad with a reasonable amount of effort.
That’s a big rabbit hole, reading about RACF is a good place to start.
The short answer would be that mainframes come with RBAC from design, unlike Unix, which has a different security model from conception and then had rbac added on top of it in some cases (such as selinux).
Not without a reboot though, and while I haven’t done that, it should be possible to protect selinux ‘s config itself with a policy, requiring boot loader access to bypass, at which point you’re dealing with a different risk level.
I’ll agree that Linux security is quite limited and primitive if compared with, say, a mainframe, but it can be made less bad with a reasonable amount of effort.
What would the mainframe be running that avoids this problem?
That’s a big rabbit hole, reading about RACF is a good place to start.
The short answer would be that mainframes come with RBAC from design, unlike Unix, which has a different security model from conception and then had rbac added on top of it in some cases (such as selinux).