The fact that it's possible at all to have weaker security with MAC enabled is a design problem in itself. LSM/SELinux doesn't disable the check inherently, but it allows a policy writer to inadvertently do so, which is what we're addressing upstream.
The SELinux policy in RHEL5 for unconfined domains (i.e. local logged in users) has no check. Eric's changes will allow the MAC and DAC checks to be properly separated, so SELinux policy can't override DAC in this case. (See Eric's blog entry, it has a much more thorough explanation).