[ungamedplayer]

Absolutely depends on the use case. I'm attempting to talk in the generic case. If you limit policy to the minimum attack surface from outside the process including permissions and capabilities which are significantly more fine grained in selinux compared to normal Unix permissions, you reduce the the capability of the attacker once they gain access to the system.

Imagine if they got access to local code execution... Binding to sctp protocol would instantiate the whole protocol in kernel. Effectively opening up whole new attack vectors. I can't see any other techniques (other than selinux like AC) that enables this kind of attack space reduction as easily.

I am aware that you can blacklist modules,etc but this is just one of many examples.

[ongy]

You can use SEccomp for some of it as well. But for SEccomp something in the hierarchy needs to do this actively

While SELinux can be set up somewhat orthogonal to the running system. OTOH systemd should make it easy to confirm every service process

[amluto]

For this sort of kernel attack surface reduction, I would use a combination of seccomp and runtime module loading restriction.

In the specific example of sctp, one can turn off loading of modules at runtime entirely.