I don't claim direct experience with that particular level, but in my project we needed finely grained granting of access to files in a shared directory, while a tech guy should be able to access his stuff.

THEN, many many groups of overlapping files/permission groups.

Then, track every VIEW (you heard that, VIEW) (as well as deltaed changes of course) of bytes in a file. Every read in every file in that dir was logged. It was sent one way to the logging machine. The machine was setup for no outgoing packets, only local access. Wire cut isolation.

When the NSA created those extensions, they wanted THEIR level of security without having to maintain an active kernel.