> You don't need a guide, it just works.

It "just works" if the package you're installing has a corresponding SELinux profile. If it doesn't, you're in for a world of "fun" trying to come up with a correct profile.

(I've played with both SELinux and Grsecurity MAC systems in the past. I know that it's not impossible to create these profiles. I also know that it's not infrequently an enormous pain in the ass, and a thing that even experts sometimes get wrong.)

If something doesn't have a profile then it runs unconfined. That's simplified, but really does work out of the box unless you do something weird (then you flip a boolean) or very weird (then you create a custom module).

But for a normal desktop user, it does just work.

Oh! That's super useful. I stand corrected.

I wonder if grsec's MAC system has grown an equivalent feature in the past four or five years. (If I overlooked the existence of such a thing in grsec, I'm gonna be so embarrassed.)

Hah. I'm a linux user and even I dont believe it's that simple.

For GNU/Linux I find that if you stick with the commonly used packages things in your distributions repositories (on supported hardware) things do just work and it is that simple. However, (and it is a big however!) the moment you go try something slightly different good luck to you...