Using sandboxed applications
New applications that should only have very limited privileges, and that are untrusted by nature, should be confined completely. While we could look at custom SELinux policies for these applications, this is hardly possible for each and every application out there.
Instead, we can consider sandboxing the applications, isolating their access from the system. With the help of some other Linux primitives such as namespace support, a utility has been created called the SELinux sandbox, which launches applications in a tightly confined domain. This is mostly meant for end user applications.
Important note
The SELinux sandbox, its SELinux policy, and the command associated with it, is specific to Linux distributions that use or follow Red Hat packages, such as CentOS. It might not be available for your Linux distribution.
For service-oriented domains, using the container runtime and protection measures are more suited. For more information about using...
