After repeated testing, we will have a policy that works, even though denials might still show up in the audit logs. In order not to alarm any administrator, we might want to disable auditing of those specific denials (while, of course, ensuring that critical access vectors are still logged by the audit daemon).
In order to disable logging of certain denials that do not influence an application's behavior, trigger the denial and then register the dontaudit statements as explained in the following steps:
For each denial shown in the audit logs, we need to find the corresponding
dontauditrule set. Consider the following instance:type=AVC msg=audit(1398936489.877:2464): avc: denied { search } for pid=8241 comm="skype" name="modules" dev="dm-0" ino=1322041 scontext=user_u:user_r:skype_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dirSearch through the SELinux policies for
dontauditstatements on this matter:~$ sefindif dontaudit.*user_home_t...