On 02/25/2016 07:23 AM, Brandon Vincent wrote: > On Thu, Feb 25, 2016 at 12:34 AM, Frank Cox <theatre at melvilletheatre.com> wrote: >> Turns out you get the "Could not downgrade policy file /etc/selinux/targeted/policy/policy.24" error if you're running with SELinux disabled and something tries to install or reload policy: semodule -vR does it. > > This is why if anyone is opposed to running SELinux it should be left > in permissive mode. Even in permissive mode you still incur the system overhead cost (7% performance hit, last I read) and the excessive logging. And don't even get me started about having /tmp mounted on a tmpfs filesystem! :-) There are good reasons to prefer disabled over permissive if you've sure you won't need to re-enable SELinux later.