We have selinux running in permissive mode on a RHEL 5.3 server. Disabling it is not an option, nor is installing a different syslog solution such as syslog-ng. I have setroubleshoot messages that keep polluting /var/log/messages. I'd like to isolate these to their own log file, and thought I could do so with the 'filename =' directives in the file /etc/setroubleshoot/setroubleshoot.cfg for the sections '[sealert_log]' and/or [setroubleshootd_log] . However, even after a restart of the setroubleshoot service, messages continue to appear in /var/log/messages.

What is the proper way to ensure these messages stop appearing in /var/log/messages, and start appearing in the log file I specify?

Thanks.

What messages specifically? Does sealert offer advice how to alleviate the AVC message problem? Do you perchance know what rule triggers logging it?