diff --git a/site/docs/bazel-user-manual.html b/site/docs/bazel-user-manual.html
index 2c615eea3453f9..3a367ec5307517 100644
--- a/site/docs/bazel-user-manual.html
+++ b/site/docs/bazel-user-manual.html
@@ -952,6 +952,23 @@ <h4>Build consistency and incremental builds</h4>
 
 </p>
 
+<h4 id='sandboxing'>Sandboxed execution</h4>
+<p>
+  In order to guarantee hermeticity (i.e. the build does not use input files
+  that are not explicitly listed and does not produce output files that were
+  not expected to be created) and correctness, Bazel runs spawns (i.e. a
+  compiler invocation) in sandboxes that only contain the minimum necessary
+  set of files for the tool to run and do its work. Currently this works on
+  Linux 3.12 or newer with the CONFIG_USER_NS option enabled. Bazel will
+  print a warning if sandboxing cannot be used to alert you to the fact that
+  builds are not guaranteed hermetic and might affect the host system in
+  unknown ways.
+</p>
+<p>
+  To disable the warning about non-sandboxed execution, you can pass the
+  --ignore_unsupported_sandboxing flag to Bazel.
+</p>
+
 <h3 id='clean'>Deleting the outputs of a build</h3>
 
 <h4>The <code>clean</code> command</h4>
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java b/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
index f8e0c7d5ed5a4d..380e05c83a6efa 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
@@ -30,19 +30,26 @@
 public final class BazelMain {
   private static final String BUILD_DATA_PROPERTIES = "/build-data.properties";
 
-  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES = ImmutableList.of(
-      com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
-      com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
-      com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
-      com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
-      com.google.devtools.build.lib.bazel.dash.DashModule.class,
-      com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
-      com.google.devtools.build.lib.sandbox.SandboxModule.class,
-      com.google.devtools.build.lib.standalone.StandaloneModule.class,
-      com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
-      com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class,
-      com.google.devtools.build.lib.worker.WorkerModule.class
-  );
+  /**
+   * The list of modules to load. Note that the order is important: In case multiple modules provide
+   * strategies for the same things, the last module wins and its strategy becomes the default.
+   *
+   * <p>Example: To make the "standalone" execution strategy the default for spawns, put it after
+   * all the other modules that provider spawn strategies (e.g. WorkerModule and SandboxModule).
+   */
+  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES =
+      ImmutableList.of(
+          com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
+          com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
+          com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
+          com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
+          com.google.devtools.build.lib.bazel.dash.DashModule.class,
+          com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
+          com.google.devtools.build.lib.worker.WorkerModule.class,
+          com.google.devtools.build.lib.standalone.StandaloneModule.class,
+          com.google.devtools.build.lib.sandbox.SandboxModule.class,
+          com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
+          com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class);
 
   public static void main(String[] args) {
     BlazeVersionInfo.setBuildInfo(tryGetBuildInfo());
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
index 73d3682393938a..7c720dc69883e5 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
@@ -53,21 +53,25 @@ public class BazelRulesModule extends BlazeModule {
    */
   public static class BazelExecutionOptions extends OptionsBase {
     @Option(
-        name = "spawn_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how spawn actions are executed by default."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "spawn_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how spawn actions are executed by default."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String spawnStrategy;
 
     @Option(
-        name = "genrule_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how to execute genrules."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "genrule_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how to execute genrules."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String genruleStrategy;
 
     @Option(name = "strategy",