SELinux and containers are complementary

SELinux policy reflects the inherently wrong approach it takes to security. It starts with a simple idea that you just need to be able to compare the label lists. It can be formally analyzed (it's just set operations after all).

But then it turns out that you need to be able to label everything. And propagate the labels. And then have escape hatches from all of that. So pretty much every complex Linux installation ends up with disabled SELinux, some vendors don't even bother with it. Amazon ships their Amazon Linux with SELinux disabled by default.

AppArmor offers comparable security but much simpler policies. Yet it has never gained any traction because it's not complex enough, apparently.