Nice article. As usual in this context, it raises more questions than it can provide answers. Of course...
A small note too, as a reaction to the last sentence from someone paid for security (and not for usability). If all users want to install arbitrary applications from untrusted sources well... my first reaction is that the situation is desperate. Given such a design requirement, isn't the right design decision to _remove_ all security from the system?
As a friend of my users, I would probably feel guilty to abandon them with such insecure systems; but as an engineer, I have the feeling that the only sensible rational solution to such a requirement is the removal of security functions.
I am not happy with the situation, but it's because I do not have the same _requirements_; not because of conflicting or inadequate or complex security mechanisms.
I do not want to minimize the Smack vs SELinux debate, or to occult the (certainly necessary) work on expanding our practical experience on generic and/or more targeted security functions implementation.
However, shouldn't we focus on the high level security requirements? It seems this is something users are not able to achieve. But someone must do that and it does not seem to be easy.
We probably cannot express the "average user" security requirements, because most readers here are computer power users. But we could express our own security requirements. We are not so different from regular users: we care more about protecting the privacy of our family pictures than ASLR randomness quality, we protect more the access control to our online banking than our LWN account; etc. As an added bonus, there is probably an understanding of the impact of weak passwords storage and/or remotely accessible vulnerable system service and of many other technical subtleties (including SELinux configuration complexity) that average users do not have at all.
Maybe such requirements could provide those implementing security functions enough fuel for reaching a well recognized and generally useful target?
This reminds me also the FreedomBox initiative. Initially, I put a lot of hope in that idea; but now that I see their requirements, I'm less interested _personnally_. (I still find that very interesting as a security oriented project; but less for my personal usage.)