What is an alert signatures?
Alert signatures are a means to describe a general denial. For most users this can be thought of as an “SELinux problem” such as “the web server can’t execute CGI scripts”. A signature collects the minimal information necessary to uniquely descibe a SELinux denial, but no more information than is necessary otherwise the signature would begin to describe specific instances rather than a general problem. However the content of the signature must be unique enough so that denial events which are fundamentally unique are not coalesced into a single description. Signatures allow alerts to be “portable” across systems. For example if you’re managing a collection of nodes the same signature can be used to reference the same problem on all the nodes. As a system administrator it is quite useful to see nodes X,Y, and Z are all showing the same problem, but node W is not. Portable signatures also make bug reporting much more useful because one signature can be used for every person reporting the