I take it that restrictions is a more accurate term here that the "rights" I used above? That is, we are talking about "allowed by default"? And does user ID play no role whatsover? I thought that "role" was important, and that there was a mapping of which UIDs could assume which roles. I was thinking of the "policy and labels" applied to executables when I talked about "binaries with the [SELinux] equivalent of capabilities", did I miss something important?