Hi!
I also can confirm workstation with GrSecurity+PaX (without RBAC/SeLinux)
are very ease to setup and works very well nowadays - all you need is
carefully set kernel options related to GrSecurity and PaX and rebuild all
system using hardened gcc.
Problematic software are nvidia-drivers (it works, but require extra
paxmarking for some apps like Xorg and mplayer) and vmware (usually need
extra patches and doesn't work on amd64 for years - virtualbox and
qemu/kvm works ok, so it's not a big deal).
--
WBR, Alex.
