the classic example is "root", which is a drastic binary oversimplification which is simply very convenient.
Indeed, but in the case of SE Linux the Five Star General ( root ) is also the guy who writes the rules about where he is allowed to go and what he is allowed do ( SE Linux config ).
ah *no*! he most definitely is not! again, you may be under the mistaken impression that the 5 star general has more power than he appears. if he were to start ordering people to bypass security measures, that would seriously be a breach of standard security protocol and his subordinates would report him.
but you may have misunderstood: if a 5 star general walks out of a secure area without his passport, how is he going to get on a commercial flight? he doesn't have a passport, because he didn't return his badge at the gate. mr 5 star general doesn't have control over commercial flights, does he? without identification papers, he doesn't even have control over *military* flights, let alone commercial ones.
in other words, you've misunderstood the analogy, because you are under the mistaken assumption that even a 5 star general actually has any "power" or "authority" outside of his domain and responsibilities: he doesn't. it's *all* about context, *not* about the "person". in other words it doesn't matter if he's a 5 star general, if he steps outside of the bounds of responsibility within the context that he's SPECIFICALLY been tasked to do, in that physical location, at that specific time, and under the specific circumstances, then all hell breaks loose and security alarms go off like mad.
is that clearer?
taking this away from the analogy, the OEM would prepare the OS, set the SE/Linux files up, digitally-sign the bootloader, flash it into ROM, digitally-sign the kernel, require the bootloader to check it.... then give *you* the root password, knowing full well that because SE/Linux is permanently enabled it is flat-out impossible for you - even though you have root access (a 5 star general) - to even replace the kernel, because the SE/Linux permissions explicitly forbid overwriting of the boot partition. and even though you have root, the SE/Linux permissions forbid you from chmodding the boot subdirectory.
SE Linux doesn't make root go away, it just usefully reduces the need for root day-to-day. But root is still the key capability in configuring the environment.
And Linux distros always have a way for root to disable boot-time or run-time SE Linux.
not in treacherous DRM-locked systems they don't - the ones where the bootloader is in a digitally-signed ROM which you cannot modify, where the kernel and its boot parameters are also digitally-signed and cannot be modified.