Description of problem:
When rc.sysinit calls init_crypto to enable mappings listed in /etc/crypttab,
cryptsetup is not permitted to access a key file on a vfat filesystem mounted
under /mnt.  When invoked manually from single-user mode or a root shell, the
operation succeeds.

Version-Release number of selected component (if applicable):
F8 GA

How reproducible:
100%

Steps to Reproduce:
1. create a key file on a vfat filesystem (probably not just vfat)

2. create a mountpoint under /mnt and a root read-only fstab entry for the vfat
filesystem:

/dev/sdb1 /mnt/key vfat ro,umask=077 0 0

3. mount /mnt/key manually or by rebooting

4. from root shell or single-user mode, cryptsetup luksFormat a hard drive
partition using the key on the usb drive (selinux will not complain about this)

5. create an /etc/crypttab entry for the luks partition:

crypt /dev/sda4 /mnt/key/sda4.key

6. create a usbkey.modules script in /etc/sysconfig/modules/ which will be
invoked by rc.sysinit prior to calling init_crypto:

#!/bin/sh
/sbin/modprobe usb-storage
/sbin/modprobe vfat
/bin/sleep 5
/bin/mount /mnt/key

7. reboot

Actual results:
cryptsetup fails during boot, and anything within the encrypted partition is
inaccessible.  dmesg shows this:

SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts
audit(1195180052.553:4) avc:  denied  { search } for  pid=1423 comm="cryptsetup"
name="mnt" dev=dm-0 ino=129665 scontext=system_u:system_r:lvm_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir

The audit message is repeated again a few lines lower, as a result of the second
call to init_crypto in rc.sysinit.  (For reference, dm-0 is the lv containing
the root filesystem.)

Expected results:
cryptsetup succeeds, just like it does when invoked interactively

Additional info:
Putting selinux in permissive mode allows cryptsetup to complete successfully.