I have written SE Linux policy for administration of a chroot environment. That allows me to give full root administration access (ability to create/delete users, kill processes running under different UIDs, ptrace, etc) to a chroot environment without giving any access to the rest of the system.
It's the same as the BSD Jail setup except that I haven't implemented my solution for the "one IP address per jail" issue yet (I think that the design is good, the code just hasn't been debugged). One of the many possible uses for this is the scenario where you have a fast machine with lots of storage that makes a good development box, and you want to allow someone to do package development on the machine (but don't trust them will full access). This use could help address some of the problems we have with KDE and GNOME development. If you would like to try this out then send me a private email and I'll give you an account on my test machine. It's only a small machine (not a development machine), but if you're interested in SE Linux you could have some fun playing with it. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field.