From: "Russell Coker" <russell@coker.com.au>

Apart from a few exceptions the SE Linux design is based on a default of deny

That is true and definitely adds a layer. Whether it is SELinux or containers - you rely on kernel code. Both can have vulnerabilities. SELinux is sharing the same name space with the rest of the system - so you can reach other services, files etc. by misconfiguration. People are lazy. The easiest way to get it work: allow everything for all. I just help someone to have a test instance of a website. There is a form writing data to one DB table (contact): What do I see: GRANT ALL for db.* for user anyone (no password). Regards Peter