notes.log

https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture/Recipes

Excluding log files

Measurement and appraisal of log files is not useful and generate kernel spam every time one is opened. It would be useful to exclude known log files, and with the help of SELinux, it is possible to so. List the log file types SELinux knows about:
user $seinfo -alogfile -x

With this in hand, known log files can be excluded from appraisal and measurement by including this snippet before any "appraise" or "measure" rules
CODE SELinux log-excluding policy

dont_measure obj_type=auth_cache_t
dont_appraise obj_type=auth_cache_t
dont_measure obj_type=cron_log_t
dont_appraise obj_type=cron_log_t
dont_measure obj_type=dirmngr_log_t
dont_appraise obj_type=dirmngr_log_t
dont_measure obj_type=dracut_var_log_t
dont_appraise obj_type=dracut_var_log_t
dont_measure obj_type=faillog_t
dont_appraise obj_type=faillog_t
dont_measure obj_type=fsadm_log_t
dont_appraise obj_type=fsadm_log_t
dont_measure obj_type=getty_log_t
dont_appraise obj_type=getty_log_t
dont_measure obj_type=initrc_var_log_t
dont_appraise obj_type=initrc_var_log_t
dont_measure obj_type=lastlog_t
dont_appraise obj_type=lastlog_t
dont_measure obj_type=nscd_log_t
dont_appraise obj_type=nscd_log_t
dont_measure obj_type=portage_log_t
dont_appraise obj_type=portage_log_t
dont_measure obj_type=rsync_log_t
dont_appraise obj_type=rsync_log_t
dont_measure obj_type=user_cron_spool_log_t
dont_appraise obj_type=user_cron_spool_log_t
dont_measure obj_type=var_log_t
dont_appraise obj_type=var_log_t
dont_measure obj_type=wtmp_t
dont_appraise obj_type=wtmp_t