Unfortunately, while SELinux itself is good, the tooling around it has to be the most atrocious, useless steaming pile of thrash in this niche. From setroubleshootd randomly deciding to eat up 100% of CPU time (and no one being able to explain exactly what it does) to the endless fun of figuring out what policycoreutils-python & friends do and how, actually doing something useful with it is somewhere between "painful" and "frustrating". If Microsoft had published something like this, they'd have been the laughing stock of the whole Linux community.
I don't know anyone in my immediate circle of peers - not even people who use SELinux on servers or in products that they develop - who doesn't disable SELinux on their desktop. They're not idiots, either, nor re-booted Windows programmers that the IoT and DevOps craze has thrown into the Linux world, many of us have been using Linux since back when there was no E in RHEL.
I feel like there should be a way to write a new set of simplified tooling on top of the kernel API.
I've been running fedora at home an on my laptop for about a year now, and don't need to turn SElinux off. I only needed to add one custom role myself too, when trying to mount certain host directories as volumes in docker. Which is fair enough.
Ubuntu comes with AppArmor enabled by default [1].
Unfortunately its service will terminate at startup due to missing profiles [2]. This shows how much QA goes into security related stuff in a distro of this size.
