Also, this description - "kernel fixes to allow for setgid programs to open icmp" (from your comment) - is not entirely correct. What we're proposing on LKML is adding non-raw ICMP sockets (where one can only send certain things and receive certain relevant responses). This is not the same as permitting some programs to access the existing (raw) ICMP sockets. And this is post-Owl-3.0 stuff; on our 3.0 release, we left out the ping special case (ping is simply restricted to invocation by root by default, although this is configurable; our traceroute works as non-root fine).
Overall, Owl 3.0 is primarily about the hardened userland. We do not use filesystem capabilities, and our userland is usable with mainstream kernels (although we do provide and recommend a specific RHEL5/OpenVZ patched kernel). In fact, some people are running our userland in OpenVZ containers on non-Owl host systems (we provide pre-created OpenVZ templates of the userland), although we generally use Owl for both "host" and "guest" ourselves.