• taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      In what way does selinux allow your users to lock themselves out of their own home directories in a way that the admin can not fix?

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        7 months ago

        SElinux is a “global ACL.” You can stop root from doing anything you like with it. Usually by accident and without realizing it’s been done in my experience…

        • taladar@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          7 months ago

          No, that is just not true. You can stop root from doing things without a reboot with SELinux but encrypting something with a password root does not know actually does stop them from doing it at all short of a brute force attack on the encryption.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            7 months ago

            That’s true - you can often recover a bad ACL. I was thinking more of the “niche use case” where separating duties and restricting root are concerned.

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              Oh, I was specifically thinking that admins that have users either competent enough not to forget/lose their passwords or mature enough not to whine to the admin when that causes the loss of all their files are pretty niche.