No accusation on your part - didn’t want to give that impression. Your engagement in the discussion is appreciated.
I surely have a view that is tainted by the Bell-Lapadula and Biba integrity security models and their implementation in the design of SELinux. You can test the formal proofs of the basic security theorem, the ss property, and the *-property in the implementation of SELinux where any formal model also requires possible means of subversion (side-channel attacks, timing attacks, KASLR bypass, etc.). There is significant research and science in such an approach that makes determining soundness formal vs arbitrary. While arguments are made about the complexity of SELinux, it’s evidence of the de-prioritization of full understanding of what rights and permissions are necessary to run a process and a de-privilege by default implementation of MAC policy enforcement, as well as opt-out vs opt-in policy confinement.
I don’t believe the security team is making a choice, but the approach of confinement is in the context of what the current development team can provide with the resources available. That I do understand. But it does limit the adoption - and lately more development is being done that is distro specific. SELinux strict policy enforcement DOES work on Ubuntu 20.04 (refpolicy 20210203 + 43 policy additions) and even works well with user confinement (no unconfined users) because we use it extensively and exclusively.
In terms of work - count me in. There are multiple approaches that were brought up previously in 2017 -
But there are more options available to achieve this now.