In the meantime, I  thought about running an EEDK that does an rpm -qa looking for the McAfee SELinux package and if present puts a string in a Custom property.  The ePO can query on that property.   Not the greatest idea, especially since the EEDK would have to be rerun.   

The other, and probably better, approach is to have one of our other applications report on running processes.  It is a little frustrating, though, that from the ePO you cannot tell if systems are compliant.   I did use an EEDK to distribute the RPM, and I suppose I could add setting a custom property there as well, to at least mark which systems were touched. 

Another question is, is there an order for installation of McAfee SELinux rpm and ENSL?   For instance, if Puppet is maintaining our systems and the McAfee SELinux rpm is installed, would it then be possible to install ENSL, or must ENSL be installed first?

If ENSL may be installed after the SELinux rpm is installed, then I could have Puppet maintain the rpm.

Thank you!

I believe ENSL must be installed first, and then the SELinux package.

Based on that, I should be able to create a Puppet module to install the selinux rpm if ENSL is present and the rpm McAfeeENS-selinux is not. 

Perhaps that is the best approach.

I believe this installation guide could be of little help.

https://docs.mcafee.com/bundle/endpoint-security--v10-7-0-installation-guide-linux/page/GUID-192A491...

Thank you.   I missed that statement, "You can install SE-Linux RPM package on
standalone or managed Linux machine, before or after installing McAfee Endpoint Security for Linux 10.7.2"

I am assuming the SELinux rpm version will be updated as the ENSL package version is updated?    

Installation of the SELinux rpm is described as a manual install on a Linux machine. Is it correct that it is not deployed from the ePO?