I have auditd running, so SELinux denials are being written to /var/log/audit/audit.log ok.
I have SELinux configured as permissive, and I tend to then get loads of messages written to /var/log/messages that I don't want there.

From googling around, I can change the logging via rsyslog - so I have modified rsyslog.conf to have these lines:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# E6540# Drop messages with SELinux/AVC in body
# E6540# Added a property based rule to try to stop SELinux messages hitting /var/log/messages
:msg,contains, "SELinux" /var/log/SELinux_E6540
:msg,contains, "AVC" /var/log/SELinux_E6540
# E6540# The above writes SELinux/AVC to their own log and the two lines below stop them entering /var/log/messages
:msg,contains, "SELinux" stop
:msg,contains, "AVC" stop
*.info;mail.none;authpriv.none;cron.none /var/log/messages

The question is, is this the best way to do it? I don't want to cause any security issues, but I don't want the log full of the SELinux and AVC messages.