It must be drop dead simple to modify SELinux to be default-deny. That
seems like it could be done in a small patch instead of requiring a huge
Let's assume that everyone agrees that AA is a good idea. Which parts of it
absolutely can't be implemented in terms of SELinux? SELinux isn't fixed in
stone, it can be altered if necessary to accommodate AA (as in the example
above of becoming default-deny).