I mean the mandatory access control system: http://schaufler-ca.com/ I'm experimenting with it but getting nowhere fast at the moment. It may be simple, but not enough to make up for the lack of examples in the documentation. OTOH I like that it doesn't need userspace support, is in the mainline kernel, and appears to be finer grained than AppArmor. Are there any decent examples of sandboxing an internet facing program with this MAC system? Any way to do it without having to apply dodgy xattr labels to binaries, or is that its whole schtick?