No you understood it correctly. There are several kernel exploits that involve things like sending nasty ioctls, opening raw devices, reading/writing to /dev/mem, etc that SELinux will mitigate when it is enforcing mode. It is not a catch-all by any means, but defense in-depth involves multiple layers. SELinux has demonstrably prevented local privilege escalation 0days from working.

Edit:

More Info: https://www.redhat.com/archives/libvir-list/2008-August/msg0...