• atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 months ago

    SElinux is a “global ACL.” You can stop root from doing anything you like with it. Usually by accident and without realizing it’s been done in my experience…

    • taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      No, that is just not true. You can stop root from doing things without a reboot with SELinux but encrypting something with a password root does not know actually does stop them from doing it at all short of a brute force attack on the encryption.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 months ago

        That’s true - you can often recover a bad ACL. I was thinking more of the “niche use case” where separating duties and restricting root are concerned.