@mia @lanodan @lispi314 MACs like Apparmor and SELinux are either essentially useless, or are extremely annoying. Apparmor does almost nothing when there's no policy for the service (most of the time unless packaged by distro) and SELinux is paranoid to the point that is annoying and writing policies for it is also annoying.

As you said, it's just duct tape to make something insecure seem like something that is at least somewhat secure.

It also doesn't help that attempts like seccomp and landlock are to complicated compared to something simple and yet effective like pledge and unveil from OpenBSD.