Every time I see firejail I think :
sandbox -X -w 1920x1080 -H temphome -T tmp -t sandbox_web_t
https://linux.die.net/man/8/sandbox
Description
Run the cmd application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
If you have the policycoreutils-sandbox package installed, you can use the -X option and the -M option. sandbox -X allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
https://linux.die.net/man/8/sandbox_selinux
Description
Security-Enhanced Linux secures the sandbox processes via flexible mandatory access control.
The sandbox processes execute with the sandbox_t SELinux type. You can check if you have these processes running by executing the ps command with the -Z qualifier.