If you install FC (including FC6T2) with /var as a separate partition, you will get lots of the following at boot:
audit(1155060024.471:4): avc: denied { search } for pid=496 comm="pam_console_app" name="var" dev=hda2 ino=251905 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
This is because pam_console_apply is being run before /var is mounted and the unmounted /var directory does not have the appropriate selinux context (var_t). pam_console_apply is apparently looking for the fine /var/run/console.lock.
I believe pam_console_apply is being run before /var is mounted by udev. udev is started before /var is mounted, and the following udev rule exists:
# cat /etc/udev/rules.d/95-pam-console.rules ACTION=="add", SYSFS{dev}=="?*", KERNEL=="?*", RUN+="/sbin/pam_console_apply $env{DEVNAME} $env{DEVLINKS}"
Which appears to run pam_console_apply for every device, which would explain why there are so many messages.
Now, I think the proper solution is to have anaconda properly label the /var mount point var_t. Indeed, putting "restorecon /var" early in rc.sysinit and rebooting a couple times has been to favored hack to this point and doesn't not appear to result in any other error messages. But I'm posting this here so that hopefully all of the various parties (initscripts, udev, anaconda, selinux, pam) have a chance to weigh in.
Orion Poplawski wrote:
Now, I think the proper solution is to have anaconda properly label the /var mount point var_t.
Suggested in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202525