No, that is just not true. You can stop root from doing things without a reboot with SELinux but encrypting something with a password root does not know actually does stop them from doing it at all short of a brute force attack on the encryption.
Oh, I was specifically thinking that admins that have users either competent enough not to forget/lose their passwords or mature enough not to whine to the admin when that causes the loss of all their files are pretty niche.
No, that is just not true. You can stop root from doing things without a reboot with SELinux but encrypting something with a password root does not know actually does stop them from doing it at all short of a brute force attack on the encryption.
That’s true - you can often recover a bad ACL. I was thinking more of the “niche use case” where separating duties and restricting root are concerned.
Oh, I was specifically thinking that admins that have users either competent enough not to forget/lose their passwords or mature enough not to whine to the admin when that causes the loss of all their files are pretty niche.