The reason I’m not using SELinux or AppArmor is that I like the features used by containers better. With cgroups, I can make the root device read-only to confined processes. With seccomp-bpf, I can restrict important system calls such as init_module and mount to particular daemons. With LXC, calls to mount a block device can be redirected so another program that can strip out undesired options can perform the mount instead. I don’t want to use a copy of my root filesystem.
The features that LXC uses (namespaces, cgroups, chroot, seccomp) don’t have to be used with the intention of making a container, so using them in conjunction to create a sandbox that has the same root filesystem as the “host” is not outside their scope. LXC brings all these features together, so that’s why I’m looking to use it for the purpose I described in the first post.