"Dan worried that while "[a] confined nsplugin is a nice feature
for confining plugins downloaded from the network. But if you run
openoffice and evince from within nsplugin they get confined,
causing the apps to not work properly." In response to Simo Sorce
Dan explained that any attempt to write transition rules to enable
said applications to work properly would create an easy avenue of
attack. Simo wondered[4] if it would be possible to either write a
security wrapper to restrict the command line, or to get
application developers to honor SELinux labels in some way."