Status: OUT
RHEL 9 enforces access control across the full authentication boundary: pre-authentication defenses (pam_faillock account lockout, chage password aging, SSH key-based authentication) gate entry, while post-authentication layered authorization (DAC ugo/rwx permissions → SELinux Type Enforcement → MCS category conjunction) restricts what authenticated subjects can access.