"Adding containers to the basic functionality of an init only improves things."
Adding a /etc/rc.d/jail script improves security;-)
There are 2 things:
1. To add more functionality in the same tool increases complexity.
Complexity never increases security.
That is so obvious that it is hard to believe that someone would argue otherwise.
Do everything once, do not make it more complex as needed, and do it right.
2. Linux has cgroups and namespaces but some Linux design decisions are in the way of using them as _secure_ containers.
Procfs is an example for it. It's simply not designed with security in mind, and the access to it is difficult to restrict.
The spread of Docker in such an environment( which can be only described as "hopefully safe enough") is a worry.
FreeBSD jail(8) is in use for many years and can be considered as safe. The pitfalls are known, disabled in the default setup, well documented, and there are no 'hopefully safe"s in it.
"Which is still a minor issue compared to web browsers, MUAs..'
They do not run on my servers, and they should not be an excuse to run other software which is overly complex because Russell considers it as a "lesser evil";-)
To go to your own stuff, e.g. SELinux:
A jail script can be subject to SELinux policies so jails can be restricted that way. This would apply to all jails, and nothing else.
If this is part of a larger binary which does all of init: SELinux cannot be applied in a similar way.
Regards
Peter