[Reelin]

Very much this. Something resembling an arbitrary number of groups per file (essentially a set of tags) and an analogous (arbitrarily numerous) set of tags applied to a process which match the launched binary. Bonus points if file format or other characteristics can somehow be worked in to automate things a bit while still maintaining security. A simple tagged group membership approach like this seems like it would be reasonably easy to use without getting in your way.

Does anything remotely resembling this already exist?

Edit: Before anyone says that SELinux resembles this, as far as I'm aware SELinux policies are anything but simple to set up and use correctly. However, SELinux types are inherited from parent directories and do look an awful lot like this. The main thing missing would seem to be that I can't find how to apply multiple contexts or types to a single file, but perhaps I'm just failing to navigate the manual?