RHEL 7.9 and SELinux have tools such as sealert to report on avc denials. We are seeing many false positive alerts, and they are inconsisent across nodes. Overall about 22 false positives.
- Why are these false positives triggered inconsistently across nodes?
- Is using sealert to find alerts recommended? If so, is reducing the false positives using ausearch and semodule to generate local policies recommended or frowned upon?
- Is there a better way?
Best answer by SparshGuptaView original