Would we have to also remove controls like "only unconfined can reload policy"? Or did we do that already when cap mac_admin was introduced? Would we want to add new policy language to provide fine-grain control of cap mac_admin?