Me, quoting me from a private IRC conversation
14:29 =orc_orc> disabling selinux is like
having perms of 777
or no root password at all
or no wrappers
or no iptables
14:29 =orc_orc> only weak minds should still be doing these things
Actually, one should set the root password to a unique and hard one for each box, and only use it for recovery [our practice per the 'blue ring notebook' of procedure at one site I ran. The 'per machine' passwords were 'remembered' and kept in a bound book journal in the CIO's office safe; usage logged, resets after use noted in said journal, audits performed]. Non-local root password based login should not be enabled. Rather, one should rely on pass-phrase protected, keyed SSH access the rest of the time