[sh_tinh_hair]

Selinux MAC is painful coming from DAC and it has bitten me numerous times but depending on your environment and exposure it can be a must have.

I wouldn't run an 'exposed' system that had SELinux support (and decent rules) without SELinux. Not discounting chroot, but given root a lot is possible in a jail.

[e12e]

Nit; a (Linux) chroot is not a jail. A bsd jail is more like an lxc container.

[sh_tinh_hair]

Understood. Same privilege escalation applies. ..and the syscall chroot is used between systems as a primitive in either os space and semantic.

[Drdrdrq]

Except AFAIK jail is meant to be secure while lxc (or at least docker) containers are not. Right?

[e12e]

Lxc has since 1.0 come with isolation and security as part of it's design and feature set. Docker started as a convenient approach to bundling up chroots - and AFAIK hasn't really made much of a real effort wrt security - other than somewhat ill-advised approach to tacking on (enabling) a feature here or there... (That's not counting external projects like rkt running images as vms etc).

Lxc is much closer to jails in that sense - but eg lxc/Lxd on Ubuntu is hardly (meant to be) a silver bullet.

[jeffgus]

Yeah, docker, initially, didn't use SELinux, but that was before RedHat took interest. RedHat likes making things more secure with SELinux.