SELinux is a module of the Linux kernel that provides a mechanism to enforce the security of the system, with specific policies.

Basically, SELinux can limit programs from accessing files and network resources. The idea is to limit the privileges of programs and daemons to a minimum, so that it can limit the risk of system halt.

The preceding functionalities have been around for many years. Namespaces were first released in 2002, and cgroups in 2005, by Google (cgroups were first named process containers, and then cgroups). For example, SunSolaris 5.10, released at the beginning of 2005, provided support for Solaris containers.

Nowadays, Linux containers are the new buzzword, and some people think they are a new means of virtualization.

Virtualization has a totally different approach. Virtualization emulates; it doesn't run processes directly on the CPU. Virtualization emulates a resource; it does not own the resource. The emulation creates an overhead in the execution phase, which might still be performant, but it'll surely need more resources. Each VM has its own dedicated OS, as shown in the following diagram:

Containerization uses resources directly, and does not need an emulator at all; the fewer resources, the more efficiency. Different applications can run on the same host: isolated at the kernel level and isolated by namespaces and cgroups. The kernel (that is, the OS) is shared by all containers, as shown in the following diagram: