Hide Forgot
When starting pkcsslotd ( in opencryptoki-3.0-6.fc20.x86_64 ), it create a socket in /run : $ ls -lZ /run/pkcsslotd.socket srwxrwx---. root pkcs11 system_u:object_r:pkcsslotd_var_run_t:s0 /run/pkcsslotd.socket However, when running restorecon : $ sudo restorecon -Rv /run/pkcsslotd.* /sbin/restorecon reset /run/pkcsslotd.socket context system_u:object_r:pkcsslotd_var_run_t:s0->system_u:object_r:var_run_t:s0 $ ls -lZ /run/pkcsslotd.socket srwxrwx---. root pkcs11 system_u:object_r:var_run_t:s0 /run/pkcsslotd.socket I think it shouldn't be reset like this, as someone trying to fix some problem would just create more issues.
grep /run/pkcsslotd /etc/selinux/targeted/contexts/files/file_contexts /var/run/pkcsslotd.* system_u:object_r:pkcs_slotd_var_run_t:s0
Would the file context also match if the file is /run rather than /var/run, ( I mean, at creation time ) ? as I do have the same result than you, but I can still reproduce the problem of having the socket wrongly labelled when pkcsslotd is started.
Yes /run == /var/run, there is a file equivalence. matchpathcon /run/pkcsslotd.socket
$ matchpathcon /run/pkcsslotd.socket /run/pkcsslotd.socket system_u:object_r:var_run_t:s0
If you execute # yum reinstall selinux-policy-targeted does it blow up?
That indeed fix the issue so I guess I can close it ?