Strange denials

I'm seeing the following on my Rawhide VM: type=AVC msg=audit(1603594049.879:534): avc: denied { write } for pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0 This makes no sense to me. sesearch seems to indicate that this should be allowed (as you would expect): # sesearch -s cobblerd_t -t cobbler_var_log_t --allow allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock open search write }; allow cobblerd_t cobbler_var_log_t:file { create open read setattr }; allow cobblerd_t file_type:filesystem getattr; allow daemon logfile:file { append getattr ioctl lock }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True selinux-policy-3.14.7-6.fc34.noarch 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64 What am I missing? -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/