Description of problem:

Posted this to fedora-devel but to takers so here's the bug report against anaconda.

If you install FC (including FC6T2) with /var as a separate partition, you will
get lots of the following at boot:

audit(1155060024.471:4): avc:  denied  { search } for  pid=496
comm="pam_console_app" name="var" dev=hda2 ino=251905
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir

This is because pam_console_apply is being run before /var is mounted and the
unmounted /var directory does not have the appropriate selinux context (var_t).
 pam_console_apply is apparently looking for the fine /var/run/console.lock.

I believe pam_console_apply is being run before /var is mounted by udev.  udev
is started before /var is mounted, and the following udev rule exists:

# cat /etc/udev/rules.d/95-pam-console.rules
ACTION=="add", SYSFS{dev}=="?*", KERNEL=="?*", RUN+="/sbin/pam_console_apply
$env{DEVNAME} $env{DEVLINKS}"

Which appears to run pam_console_apply for every device, which would explain why
there are so many messages.

Now, I think the proper solution is to have anaconda properly label the /var
mount point var_t.  Indeed, putting "restorecon /var" early in rc.sysinit and
rebooting a couple times has been to favored hack to this point and does not
appear to result in any other error messages.