Four audiences for SELinux

"old-school" sysadmin: used to editing files under /etc, restarting services, etc etc; in runlevel 3; reads manpages; may be more familiar with other Posix systems that don't have MAC, and is surprised when things don't work quite the way they're used to
semi-technical/Windows sysadmin: uses system-config-* and looks in gnome-system-monitor, in runlevel 5
non-technical user; ideally doesn't know what "the kernel" is, and if they've even heard of SELinux, it's at the level of a feature bulletpoint and is "magic".
the cracker who's gained a local account on the box via a zero-day exploit, and who is trying to escalate their privs up to the point where they have control of local user data, of services on the box, or root. Obviously we want to make life difficult for this persona.

Ideas for the "old-school" sysadmin

(brainstorming here)

add an (optional) SELinux section to the standard manpage layout
proposal: all confined services should have an SELinux section, with a description of defaults, and a list of booleans affecting the service (can this be autogenerated somehow?)
do SELinux booleans have manpages? it seems to me that every SELinux boolean ought to have a manpage, so that if you type "man httpd_enable_homedirs", something should appear (to help make SELinux more "discoverable" to this user). Can these manpages be autogenerated from the existing documentation? (Seems like a new subsection within the "man" hierarchy, perhaps under "8"?).

proposal: all confined programs with a /etc file should have a comment in the config file, describing booleans that affect the config, so that when the sysadmin turns on some feature in the config, there's a comment there telling them/reminding them to turn on the appropriate booleans

proposal: all confined programs that read config and that can be affected by booleans should detect if the config is out-of-step with the booleans, and issue a warning on startup/rereading config describing which booleans to enable