Foreshortened

An interesting overview of various takes on MAC. I keep messing with SELinux or various sorts of process restructuring with contained capabilities for our product, but never manage to make significant gains. Pretty hard for a general-purpose commercial product with daemons to achieve much by cooperation! I feel type-based systems and traditional privilege separation with IPC are ultimately most helpful, if we were to try to usefully reduce our surface.