> I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.
Two things were in my mind when I wrote "a nightmare". While MAC tries to build up security from the bottom (TPM, boot, system call), guest OS can directly bound to the bottom. And the internal of guest OS can hardly observed (therefore confined) from the host (or hypervisor). However, "a nightmare" was too much as you suggested.