> ...until it doesn't, and then what? The comment was slightly off-topic and mainly pointed towards his decision to disable SELinux on a distribution which had enabled it by default. On Gentoo, if you enable SELinux, see all of the AVCs and decide to nope right out of there, you are making an informed decision (by virtue of needing to learn a great deal about SELinux to set it up in the first place).
> I could have half-assed it with audit2allow, but security-wise that's a > cop-out. I'm not sure it's a complete cop-out as long as you read the suggestions audit2allow is making. The policy you end up with will not be ideal and will certainly be full of holes, but at least you are somewhat aware of the risk a given service is to your system. > I'd like to find a middle ground, and it might be Targeted mode (I was > attempting Strict). Or, it might be a different system like AppArmor. Yeah, my ending suggestion was to run in targeted mode (if you wanted to bother with SELinux at all) but that mainly serves as a workaround for Desktop-oriented stuff. Containers or virtualization are also options.
