The reason to turn it off is because it can be a pain to debug.
However we don't turn it off now.
We nearly always keep it running.
I do occasionally turn it off to quickly verify if SElinux is a problem or not.
It' much easier to debug now, especially if you make yourself familir with audit2allow.
You don't really need to understand it with audit2allow, but you can some times end up opening thins up wider than you think with audit2allow.
Having said that some SELinux is better than none.
I'm by no means an SELinux expert and have only been using it for a couple of years.
I still don't really understand the basics, but I know enough to get apps running, btoh those included with the distro and random stuff compiled of the 'net.
The main thing I've had to use are the ls -lZ
(show selinux context), audit2allow
, chcon
, semodule
, getenforce
, setenforce
and booleans. With those tools I've managed to get every app I needed to running under SELinux.
I find one of he big problems with debugging SELinux problems,, is simply remebering to check for SELinux problems when I have other wise inexplicable problems. It usually takes me a little wile to go "h! check SELinux!!".
According to the bind man page SELinux is far safer than running bind in a chroot jail.
A lot of other people who have far more clue than I also recommend it so I run it blindly now. And suspect despite the occasional problem it is probably worth doing.