How to dontaudit all permissive SELinux domains?

I’m in process of migration to Fedora Server and trying to transfer existing configuration to it. Sometimes I get denials which I’m not ready to fix/workaround right now and I’m trying to disable them via semanage permissive -a collectd_t by temporary(?) switching the app to permissive domain.

It works, but SELinux continues to log all accesses for them that would be denied, setroubleshootd.service consumes 100% of CPU processing them and this doesn’t look like a good solution.

How to completely disable SELinux for some specific domains / services (make them behave like unconfined_t)? Haven’t found a good solution for this yet.

In fact, you can safely disable/remove setroubleshoot if it is causing issues.
SELinux denials can be handled with audit2allow and the relevant CLI tools.

setroubleshoot is just the most visible effect, but the fact is that permissive domain is not cheap: every unexpected app access triggers audit subsystem, it spends CPU and disk on writing to audit log. And then, later it would be harder to find something valuable it it.

At this time the best I found is chcon -t bin_t /usr/sbin/collectd, but of course it’s dirty hack just to solve the problem at the moment and is not suitable as a long-term solution.

Consider disabling standalone audit logging.
It should be duplicated to journal anyways:

journalctl _AUDIT_TYPE_NAME=AVC

I haven’t used it, but it looks like audit2allow will generate dontaudit rules (instead of allow rules):

$ man audit2allow | grep -A 1 -- --dontaudit
       -D | --dontaudit
              Generate dontaudit rules (Default: allow)