I've just built a fresh new 7.2 machine. It's been an SELINUX adventure, so far. 
Here are some observations for the developers of various parts of the system. 
Mostly they are documentation and SELinux issues. Documentation would have 
helped deal with the SELinux issues. There is one serious deficiency noted below 
in subversion. (And for the standard whine, systemd sucks dead bunnies through 
garden hoses - chiefly due to nearly totally absent documentation.)

Among the problems I found is that subversion does NOT work out of the box. Its 
install does not create the repository location declared in its /etc/sysconfig 
file. Creating it "almost" makes it work. I fussed around following 
troubleshooter suggestions which all failed. Ultimately I bit the bullet and 
tried a system wide relabel. (I am not sure if I've broken dovecot yet. I think 
not.) That worked. Two things would have helped. First setting up /var/svn with 
the right contextual rules right off the bat. Second is, IMAO, a serious 
deficiency in svnserve. It apparently cannot be run as a user (subversion) 
rather than root. For the 6.x system subversion in a subversion account with 
limited permissions. It's a belt and suspenders thing. SELinux has been a severe 
PITA during this build. It's troubleshooting advice is usually useless.

On to the real reason for writing this. I have some idiosyncratic iptables rules 
I rather like. They involved "recent". I setup some open ports, notably ssh, for 
limited access. A given address can attempt a SYN packet to the machine no more 
frequently than once every 90 seconds. Imagine trying to "guess" an even "fair 
at best" password under those conditions without lighting a nuclear level flare 
in the logs.

Obviously I really do NOT want firewalld to run. This is, apparently, usually 
done using "systemctl mask firewalld". Unfortunately this leaves divots all over 
the logs about systemctl not being able to bring up /dev/null er firewalld. That 
seems "unfriendly" to say the least. (And it seems there is no "friendly" way to 
undo the "systemctl mask" command, at least for firewalld.

And I mentioned dovecot above. It as an adventure to get my usual 
fetchmail->sendmail->procmail->spamc->mbox file working. I managed to find the 
way to do this with postfix. (procmail? Um, historical - dates from before 
modern alternatives and is usefully aggressive about forcing the email through 
spamassassin.) Then I needed to setup Dovecot to suck the email back off the 
system. This was a PITA on 6.x. It is a ROYAL SELinux PITA on 7.2. Some better 
documentation would be most helpful, if anybody can be motivated to commit the 
writing effort.

{^_^}