Go to the Splunk pages and pretty much it comes to the conclusion that you have to run SELinux in permissive mode. There are some githubs and evidence of people previously managing to run back at Splunk Enterprise 6 & 7 in enforcing mode, but this seems to have died off at Splunk 8.  There is one example of someone attempting 9.2.2Problem - CIS Level 2 Hardening, requires   SELinux to be set to Enforcing All processes to be running with Context (and Splunk do not tag/name provide context to the install) There are 30,000 files/names/processes to be manually added for Splunk Enterprise aloneSplunk TA's and Enterprise security are on top of this You cant add more wildcarded / open the context's wider without making overly permissive.   In environments that are regulated and it is mandatory requirement to have CIS Benchmark Level 2 Hardening enable AND have a security monitoring service in place (ie Splunk as a SIEM),  other than having people continuiously monitoring auditd logs and adding contexts 24/7 - what other solutions have people found. Other than thousands of exceptions and paying someone 24/7 to just manage SELinux,  how can Splunk Enterprise work with SELinux enforcing ?  ... View more