SElinux has nothing to do with virtual machines. It takes a lot of work to write profiles for it, in the near future I plan to write some profiles to isolate firefox and other applications. But unfortunately my time right now is being consumed doing other things. In short I would say that SElinux is best thought of as application specific restrictions. Ideally you would explicitly define everything that firefox can do, and then the mandatory access controls will prevent it from doing anything else. Now when an attacker takes over firefox they do not obtain the abilities of the user that runs it, but rather of the MAC profile created for firefox, which should be very restricted. Of course how much security this affords you depends on how well you have defined what firefox should be able to do. It might be appropriate to think of mandatory access controls as a sort of application level firewall. There are even techniques for getting around this sort of protection though . One neat thing about SElinux is that it has a default functionality that allows you to isolate applications to their own x window environment. This removes the ability to copy paste between isolated windows, but it also removes the ability of an attacker who has pwnt one of the windows from using the lack of default isolation to spy on keystrokes to all other windows. Ideally you would isolate applications with this SElinux feature called simply SElinux sandbox, and then you would write further rules to restrict the individual applications, for example remove firefoxes ability to send traffic except over Tor, etc. SElinux can restrict an application from doing anything that you have not specifically allowed it to do , as well as allow an application to do anything you have not specifically prohibited it from doing. It also has a learning mode where it lets the application do anything but keeps a log of everything the application has done, to aide you in creating rule profiles. Using SElinux for isolation is beyond a doubt seen as the superior choice over using virtual machines, at least by the majority of security researchers. Of course Theo of openbsd things mandatory access controls are stupid as well, but I think he would say they are vastly superior to using virtualization. Also one exception is the creator of Qubes, who seems to be pretty fond of using xen based virtualization for isolation. As far as attackers being able to break out of virtualization.... http://www.neowin.net/forum/topic/1084015-us-cert-warns-of-guest-to-host-vm-escape-vulnerability/ http://seclists.org/fulldisclosure/2010/Mar/550 http://www.slideshare.net/kbour23/d1-t2-jonathan-brossard-breaking-virtualization-by-switching-to-virtual-8086-mode