> And they have solved the problem by using this tool. To the point that for years now, by default, RH boxes are installed in enforcing mode.

They’ve shipped it, yes. It doesn’t count as solved until all of the apps are running with policies which actually block attacks like this, just as having a fire extinguisher on the shelf doesn’t mean your fire is guaranteed to be out.

> Comparing Mac to RHEL, there’s only one place where Mac is ahead and that is a default Mac install at least on Apple silicon will have an immutable root.

Also they have far more common use of sandboxing for applications (including the harder bits about selective permissions for apps), code signing, memory protection, pervasive use of HSM and robust layered storage encryption, etc. – all out of the box, whereas even in the much easier case of servers you’re looking at many hours of skilled labor to configure an equivalent.

My point about budgets is that this is just a lot of work. Apple’s not perfect but a lot of people have a mental model from the 2000s which is no longer true.

>Redhat is the most serious game in town for SELinux

SELinux on Red Hat only confines web servers, DNS servers and such. All software started by an interactive user, including web browsers, runs in the "unconfined" domain (term?), which means SELinux is not even trying to contain that software.

ChromeOS OTOH does use selinux to sandbox the browser (and IIUC Android uses it to sandbox every app).

>Comparing Mac to RHEL, there’s only one place where Mac is ahead

That's not my understanding: Mac is far from perfect, but it is more secure overall than RHEL and Fedora IMO. It's not just that the Mac verifies the integrity of /usr and such whereas Linux distros do not.

Is SELinux what you would use if you wanted to deny access to the microphone or camera or photos to all applications by default?

> Redhat is the most serious game in town for SELinux.

not even, it's android. Yeah, their policies are airtight