I'm all for increasing the security of the kernel. However I feel the ideal* case the kernel should be striving for is a compare/branch for the check. Does SELinux do any caching of it's authentication results?
For example once you have validated a process can read a given file descriptor do you need to re-run the whole capability checking logic for every sys_read()?
Of course any such caching probably introduces another attack vector so care would have to be taken with the implementation?
*ideal being a target even if you may never actually reach that goal.