Our devs can't install software without an reason or check. External packages/modules/... have an 24 hour delay, except for retractions and are scanned for malware. Selinux does the rest and we encourage devs to write policies for their applications.