OpenBSD is like a very hardened safe, made of steel and huge bolts and locks. Very polished, very smooth and hard surface.

MAC/RBAC is like having security officers, interviews, checking of IDs, filling in forms and getting an OK from ones boss before performing work someplace in the building and so on.

Both these things can be good. But OpenBSD was always about making a small system as hardened as possible. Evidently, they aren't completely done yet with making the core as hardened as possible.

Windows has great architecture, but lacks instead severerly this hardness which OpenBSD possesses. What use is MAC/RBAC if someone can gain kernel access with a 0 day exploit?

Nah they won't. The devs have an irrational resistance to the very idea.

I disagree with your analogies. OpenBSD has a focus on auditing to remove all bugs, which is great, but they provide very little to help prevent what can be done if a bug is exploited, and they've certainly had no shortage of serious bugs.

> What use is MAC/RBAC if someone can gain kernel access with a 0 day exploit?

Kernel exploits are pretty rare. Most exploits are in userland.

Their safe is very hard, but once you are in, you are in. And I think I agree with your assessment, they aren’t likely to start creating MAC/RBAC solutions.