MAC is one of those environments like OOP or Lisp; an approach that twists your head around on a completely different axis than you might have been previously accustomed to.
Programming techniques you'd expect to work from previous experience in DAC-land can become a serious hassle; transferring files inward and upward is easy, but outward or downward or across is blocked. Copies. Mail. Pipes. Whatever. And if you're writing a server or daemon that deals with multiple levels or multiple categories, then your code has a huge target painted on it; you're writing OS-related security-sensitive code.
Multilevel was (somewhat?) more popular back in the early 1990s; there was various and even some elegant work back then, but those products turned out to be more expensive to sell, buy, manage, and to program, and with specific programming requirements. Folks looked at all that, and then tended to buy DAC and used multiple single-level boxes, and quite possibly as guests within a VM. Choosing these system-high configurations had the obvious effects on the MAC market, too.
But to answer your "prefer?" question, none of them, really. Not without a very specific requirement for all the MAC hassles. Then, and as a distant second to running system-high, I'd probably pick SELinux.
Sorry for fueling the flames, but: they're all mostly useless. That is, non-broken software doesn't need them, and it's very hard to write a profile that doesn't allow hacked broken software to take over the machine anyway. Especially with Linux' large number of local exploits. There are almost always better ways to spend your sysadmin time.
It's another layer of protection, agreed. But the general consensus amongst people who use these systems is to turn them off. They'e not user friendly (see my post below), pretty much always badly documented, and most people don't have the time required to understand them.
They're all quite rubbish. SELinux logs violations to syslog with 'avc'. You have to actually learn that 'access vector cache' is a component of SELinux. Why not just write 'selinux' instead rather than making me learn it's shite jargon?
MAC is one of those environments like OOP or Lisp; an approach that twists your head around on a completely different axis than you might have been previously accustomed to.
Programming techniques you'd expect to work from previous experience in DAC-land can become a serious hassle; transferring files inward and upward is easy, but outward or downward or across is blocked. Copies. Mail. Pipes. Whatever. And if you're writing a server or daemon that deals with multiple levels or multiple categories, then your code has a huge target painted on it; you're writing OS-related security-sensitive code.
Multilevel was (somewhat?) more popular back in the early 1990s; there was various and even some elegant work back then, but those products turned out to be more expensive to sell, buy, manage, and to program, and with specific programming requirements. Folks looked at all that, and then tended to buy DAC and used multiple single-level boxes, and quite possibly as guests within a VM. Choosing these system-high configurations had the obvious effects on the MAC market, too.
But to answer your "prefer?" question, none of them, really. Not without a very specific requirement for all the MAC hassles. Then, and as a distant second to running system-high, I'd probably pick SELinux.