Would it be possible to sandbox apps with SELinux?

Many apps require too much permissions that they do not need to function Most apps needs internet connection to talk to some API (let's say updates checking or notifications.. etc) and need to access SD Card (for buffering/caching). But if we grant them this they can take all of my data. It would be great if the OS is structured in a way so that we can grant apps access only to specific directories that only belong to it (think of browser cache, youtube buffer ...) and when the user promptly and consciously want to pass files (eg. upload file throw a web browser) they get staged/promoted/linked to that area accessible by the app. till that happens, we have SELinux in many android phones can we use it to sandbox apps (the idea is there since 2009 see http://danwalsh.livejournal.com/28545.html) here is the question: can we define a policy that says (if yes how) - those apps are not allowed to access my gallery directory (DCIM) - those apps are allowed to access my gallery but are not allowed to use network connection in desktop Linux it was successfully applied (here it was applied on firefox http://danwalsh.livejournal.com/31146.html)