Yeah, they're not great recommendations sometimes but they do have the advantage of always allowing the behavior which I think is meant to not make a frustrated ops person even more mad. But I disagree on the "you might as well disable it" because now you've lost the policies on the thousands of packages you didn't make exceptions for. Even if $company_app is running basically unconfined at least sshd is still locked down.