Work that needs to be done

Writing much more sample policy (huge amount of work)

Change the remaining login type programs (xdm, kdm, etc) to change the domain of the user's process and to change the type of any device files

Sample policy similar to "lomac" with two domains for privileged and unprivileged processes.

Sample policy snippets for "no way out".