CloudABI

this hits on my grief with SELinux, it's a system-wide config that must include everything, and as such is too complex for anyone to understand. The policies have to be open to allow a wide range of 'typical' uses, and locking them down becomes very hard.

With AppArmor, you can focus on just one app at a time, and changing permissions for one app doesn't cascade to all other apps (yes, I am aware that this can let you open unexpected side-channels, but it's worth it to be able to narrow the scope)

This makes the AppArmor configs simple enough that it's within the realm of possibility for normal sysadmins to adjust them.