SELinux policy on /tmp/pritunl_

We’re running Pritunl on Oracle Linux 8. Our host IDS (wazuh) throwing an alarm for the pritunl directory in /tmp. It looks like it has something to do with an SELinux policy.

Here’s what we’re getting from the IDS:
Anomaly detected in file '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

when I list /tmp with sudo ls -l /tmp I get this:

ls: cannot access '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93': Permission denied
total 4
d?????????? ? ?        ?           ?            ? pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93

Is there any modification I can make to an SELinux policy to squash the IDS alarm while keeping things secure?

You would need to disable SElinux. Pritunl modifies the tmp files SElinux context to block access from any other process, this protects the keys stored in this directory.

I’d like to avoid disabling SELinux.

What are the keys that are stored in /tmp used for? Can I configure a different directory to be used?

There is an option in the configuration file to change the directory but this would likely prevent the Pritunl process from access the files.