I am mostly on board with this, actually. The experience with machinectl and systemd-nspawn is also completely broken because there are no sane default SELinux rules for it.
However in my experience so far, the defaults do not get in your way during regular usage. You typically only encounter such issues when you're also in the position to fix them. And I think in general it's a great idea to have default deny policies for containers and VMs.
> So after scratching my head, I just turned it off altogether.
Please don't do this. It's not worth disabling an entire security system if you can just spend some time to figure out a command to make the system work for you. Fedora even has gui tools that notify you when you encounter an SELinux issue. See stopdisablingselinux.com.
However in my experience so far, the defaults do not get in your way during regular usage. You typically only encounter such issues when you're also in the position to fix them. And I think in general it's a great idea to have default deny policies for containers and VMs.
> So after scratching my head, I just turned it off altogether.
Please don't do this. It's not worth disabling an entire security system if you can just spend some time to figure out a command to make the system work for you. Fedora even has gui tools that notify you when you encounter an SELinux issue. See stopdisablingselinux.com.