I would like to see, as far as the acls go, the ability to allow or deny creating files in a directory.
So, for example, in /dev (a common place for hiding intruder log files, programs etc), you allow reading to and from devices, allow reading the contents of the directory, but do not allow creating new files.
Basically, have an acl for allowing/denying sys_creat and sys_open, also, perhaps for more fine grained access, denying sys_unlink as well.