[j16sdiz]

Think SELinux.

sudo is bad, but it is not worse.

Like SELinux, you are not supposed to be able to disable without reboot.

[fignews]

Wouldn’t `setenforce 0` be essentially “disabling” SELinux without a reboot?

[OJFord]

Puts it in 'permissive' mode, i.e. 'audit but don't deny'. Disabling (i.e. no auditing either, no record) requires a reboot I believe (a change to kernel param).