[matthews2]

FreeBSD has the concept of a 'security level'. You can increase it at runtime, which disables more functionality, but you can't decrease it without a reboot.

At security level 1, the immutable and append only attributes on files can't be removed, so even chattr -i would be useless.

[znpy]

Linux has SELinux, which is enabled by default in RHEL and derivatives.

You could literally hand out root shell to people, and they wouldn’t be able to make much mess out of it.

There are SELinux policies to prevent disabling selinux too, of course.

You probably wouldn’t even need chattr.

[pxc]

SELinux is way more complex than security levels sounds here.

[_abox]

Securelevels are not just this. FreeBSD has its own SELinux equivalent called Mandatory Access Control:

https://docs.freebsd.org/en/books/handbook/mac/

It goes far beyond making files immutable. I haven't really done a deep dive to see if it's on par with SELinux but the description in this thread doesn't do it justice.

[pxc]

What I meant is that devising a sane and useful way to make use of security levels seems easier than achieving something 'equivalent' with SELinux. Sophisticated policy systems are nice, but something that kind of bundles sane defaults together and organizes them into ordered layers like security levels sounds great.