LSM stacking (again)

I agree, many people run selinux systems without incident and of the few admins who do run into a need to make changes disable it instead. I don't think it is only miliary wonks who can work with it, in my environment I made a concerted effort to just make the appropriate policy changes when the need arrised. I found in my experience that the few changes I needed were not really that hard to make.

A few times I needed to make a local policy to allow an app to make syscalls it otherwise wasn't allowed to do, iterations of audit2allow made short work of it. On another instance I needed to grep through the existing security context list to find a suitable policy as one already existed and I was just a chcon away from my app working. I haven't had problems with third party apps because they tend not to come with policies so just pick up the default.

I don't think selinux is bad but there does not seem to be the amount of shared knowledge and lore that would allow people to eaisly solve problems when they come up. You can find some help via google or serverfault but the quality is sometimes poor and the most common recommendation is to turn selinux off rather than use the tools that come with to actually understand and fix the problem.