Sandboxing code on a Linux machine

Sandboxing code on a Linux machine

I'm in the process of writing an application in C++ on Linux. The goal is
to have it load dynamically linked libraries at run-time and to provide
all the services that the libraries require. The main aim is to have it
act as a black box where code loaded at run-time can not break out and
damage the rest of the system.
I've never done anything like this before and am a little lost of the best
method to take. If I load all the dynamically linked libraries under a
special process and then use something like SELinux to limit the ability
for the central daemon to do anything outside of its requirements would
that seem like a reasonable solution?
The reason I ask is that I want to allow people to load code into this
container application that then handles all the server side stuff for
them, so things such as security, permissions, networking, logging etc are
all provided with a simple, clean and cross platform API regardless of the
version of UNIX that the container is running on.