[vidarh]

The problem with SELinux is that they often get turned off by admins at the first hint of resistance. E.g. Apache won't read from the non-standard directory you've decided to put your app in? Off goes SELinux.

Building in lowest common denominator checks in the applications that the app developer can know won't get in the way makes it less likely the checks will get disabled.

E.g. your web server could disable filesystem access to paths it doesn't need after having read its config files and determined where it's going to log and where it's going to serve files from, so that things keep working as expected for users, possibly making exceptions for really stupid things (like exposing /etc). That would reduce the chance that users start looking for ways to just turn it off.

That makes the two approaches complementary.

I agree with you that most app developers do not care, but that's besides the point for OpenBSD: They care, and they control most of their own userland.

And you don't really need "most" apps to do it anyway. We'd get far just by having most of the highest profile internet facing server applications support it.