Not without a reboot though, and while I haven’t done that, it should be possible to protect selinux ‘s config itself with a policy, requiring boot loader access to bypass, at which point you’re dealing with a different risk level.
I’ll agree that Linux security is quite limited and primitive if compared with, say, a mainframe, but it can be made less bad with a reasonable amount of effort.
That’s a big rabbit hole, reading about RACF is a good place to start.
The short answer would be that mainframes come with RBAC from design, unlike Unix, which has a different security model from conception and then had rbac added on top of it in some cases (such as selinux).
I’ll agree that Linux security is quite limited and primitive if compared with, say, a mainframe, but it can be made less bad with a reasonable amount of effort.