* more security features a la ExecShield
5 things come to mind as more details
* stackguard equivalent (patch posted for gcc inclusion already)
* per user /tmp via namespace tricks
* more selinux "execmem"
* more selinux targeted protection
* Better selinux/security GUI