I'm a selinux newbie using RHEL7.9 and I'm in the process of creating a "private/application" selinux policy for a large legacy application. For some AVCs/denials I've been using the audit2allow to generate some of the rules/interfaces to resolve the AVCs/denials. Questions about using the "-R" option to generate the policy rules: 1. What are the risks of using the "-R" option? Do people use the "interfaces" which the "-R" generates in the policies deployed in production environments? When "-R" is used, how does the tool itself determine which "interface" to use? Is it Linux distribution and release specific so if we upgrade will it be a problem? The redhat documentation and man page (and other vendor's documentation) specify it is a risk to use this tool (see [1][2]). 2. When the "-R" option is not used, separate rules are generated that do not include "interface" rules. Is it safe to use the rules audit2allow generates (without "-R") or are those a risk as well? 3. Any other suggestions for resolving AVCs/denials ? [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... [2] audit2allow man page man audit2allow ... -R | --reference Generate reference policy using installed macros. This attempts to match denials against interfaces and may be inaccurate. Thanks