SELinux provides *very* strong sandboxing capabilities. In very simplistic terms — access control can now be applied not just at the filesystem, but also across network access, X access, enforced and automatic chroots that are cleaned-up when the process ends, all with fine-grained audit logging.
But — this ain’t your grandma’s chmod. There is some significant complexity. But, depending in your risk model, it may very well be worth it.
Note — check out the sandbox util (policycoreutils-python) with the X capabilities (policycoreutils-sandbox). Provides a great tool for running individual processes under extremely tight lock-down.
mjs.fyi 