I'm seeing the following on my Rawhide VM:
type=AVC msg=audit(1603594049.879:534): avc: denied { write } for pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0
This makes no sense to me. sesearch seems to indicate that this should be allowed (as you would expect):
# sesearch -s cobblerd_t -t cobbler_var_log_t --allow allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock open search write }; allow cobblerd_t cobbler_var_log_t:file { create open read setattr }; allow cobblerd_t file_type:filesystem getattr; allow daemon logfile:file { append getattr ioctl lock }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
selinux-policy-3.14.7-6.fc34.noarch 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
What am I missing?