If you're a bit following the SELinux development community you will know
Dan Walsh, a Red Hat
security engineer. Today he blogged
about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He
should've asked why the reference policy or Red Hat/Fedora policy does not
confine Firefox, because SELinux is, as I've
not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the
principles we focus on in Gentoo Hardened is to
develop desktop policies
in order to reduce exposure and information leakage of user documents. We might
not have the manpower to confine all desktop applications, but I do think it is
worthwhile to at least attempt to do this, even though what Dan Walsh mentioned
is also correct: desktops are notoriously difficult to use a mandatory access
control system on.