I am not really sure if I can quantify how many blogs I read on the Internet where "the solution" to an issue is to disable SELinux, or at least set it into permissive mode. While I do not disagree that the immediate problem may then be resolved, it is a little like setting the filesystem permissions to rwx for all users authenticated or otherwise. Similarly, we all joke about users sticking post-it notes with password to the screen; there is little difference in this to an administrator disabling SELinux inappropriately.

There are reasons that the mandatory access control (MAC) list exists, and we as administrators should use it to our advantage. Traditionally, we are accustomed to using discretionary access control (DAC) lists and these ...