Well one idea is, since there’s no custom profiles for those services that we know of, to make use of RBAC and confine the user who’s running them.
usermod -Z user_u ‘username’
Log out and back in
That’s just another layer limiting user actions.
I’m not sure if you’re allowed to run webapps in a user_u domain (there are others, iirc webadm and such), but that domain has no way to escalate privileges at least.
Also, you could kick things up a notch and polyinstantiate tmp dirs.
Anywho gotta look back into the type domains when I’ve got more time, currently in the middle of a move, I’ll get back at ya next week, or possibly on Sunday.
Edit: Oh and a side note, disabling selinux is horrible advice. You should turn it into permissive instead. And not globally either, you can run single processes in permissive mode.
Selinux isn’t hard at all once you understand how it functions, some people just don’t rtfm.