Running a VM on a host wich has RSBAC + PaX as kernelfeatures.
My choose is the KVM, because ist the easiest for use and already included in the the mainline kernel. Its has enough performace to work on the guest without knowing that it’s a virtualized machine.

To get more security as the basic distributions offers, to protect the hostsystem
I did this:

• installed the gentoo-hardened
• running the guestprocess as unpriviliged user (see HowTo)
• setup rsbac_jail to start kvm-guest with it (see kvm guest jail)

run-jail is a script wich allow us to setup the rsbac-jail with a configurationfile.

This is the documentation site for rsbac_jail