Hi there @Brian Brownlow So this came up in another thread, so I'm re-posting my answer here.
So this isn't something that I've tried recently but
in my previous experiences with this it's possible, but definatley not
First of all, be aware that if you go this route, you should prepare for some issues along the way.
Your first issue is that there are no current selinux policies for HDP, so you'll have to create these from scratch.
Your initial step would be to set selinux to permissive mode, this
shouldn't prevent anything from happening but it will flag each and
every exception to the current policies.
There are selinux tools to convert exception messages to rules that you can allow and build into your new custom policy.
Then run the cluster in this state for a period of time ensuring that
as you rebuild the rules each time you get fewer and fewer selinux
At some point you can switch selinux to enforcing mode and things will continue to run at that point.
Do not fool yourself, there are certain operations that may not have
triggered during your policy creation time. At this point those actions
will be denied by selinux and you'll need to capture that and feed it
back into your policies.
Be very aware that every single time something strange happens on
that cluster, your first thing to check should be selinux, and that
should be the case for as long as that cluster is live, it should be the
number one mantra for any form of platform investigation.
As for when to re-disabling it? I'd strongly recommend re-disabling
it ahead of any major maintenence operations such as upgrades etc.
Community contribution of selinux policies would be a great way to contribute back if that's something you're interested in!
Hope that helps, sorry it's not a more concrete/simple answer.