If you just run 

cryptsetup luksOpen /dev/sdb5 luks-extra; ls -lZ /dev/dm-*


What do you get for output?

Miroslav, 

I think we need

	optional_policy(`
		lvm_run(unconfined_usertype, unconfined_r)
	')

Also lvm_run should look like

interface(`lvm_run',`
	gen_require(`
		type lvm_t;
		type clvmd_t;
	')

	lvm_domtrans($1)
	role $2 types lvm_t;
	role $2 types clvmd_t;

	modutils_run_insmod(lvm_t, $2)
')

OK, added to selinux-policy-3.6.32-100.fc12

# cryptsetup luksOpen /dev/sdb5 luks-extra; ls -lZ /dev/dm-*
Enter passphrase for /dev/sdb5: 
Key slot 0 unlocked.
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-2
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-3
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-4
brw-------. root root system_u:object_r:device_t:s0    /dev/dm-5

# ls -lZ /dev/dm-*
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-2
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-3
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-4
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5

I see this error also on a crypt filesystem mounted via pam-mount 
(i.e. <volume fstype="crypt" ... /> in /etc/security/pam_mount.conf.xml).

I'll note that before I added option="fsck" I did not see this error.  Not sure if that's related.

selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12

selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12

selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

I wonder if the fixed policy package CAUSED the same error to appear for me? At least I am seeing selinux warnings for some time now and the reporting tool now brought me here. Not exactly sure what causes the problem for me but I use LUKS as well...

Michael please attach the output from the troubleshooter

I upgraded to the policy packages in updates-testing (-108) and have not seen the problem since.

So... this just happened to me once again, and once again when I look at the file the context is correct, so it looks like it is a race condition.  Note that this is with -108.  Now upgrading to -110.

Summary:

SELinux is preventing /usr/libexec/hald-probe-volume "read" access to device
dm-5.

Detailed Description:

SELinux has denied hald-probe-volu "read" access to device dm-5. dm-5 is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v 'dm-5'. If this
device remains labeled device_t, then this is a bug in SELinux policy. Please
file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for dm-5, you can use chcon -t
SIMILAR_TYPE 'dm-5', If this fixes the problem, you can make this permanent by
executing semanage fcontext -a -t SIMILAR_TYPE 'dm-5' If the restorecon changes
the context, this indicates that the application that created the device,
created it without using SELinux APIs. If you can figure out which application
created the device, please file a bug report against this application.

Allowing Access:

Attempt restorecon -v 'dm-5' or chcon -t SIMILAR_TYPE 'dm-5'

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                dm-5 [ blk_file ]
Source                        hald-probe-volu
Source Path                   /usr/libexec/hald-probe-volume
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           hal-0.5.13-9.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux nike
                              2.6.32.10-88.fc12.x86_64 #1 SMP Sat Mar 20
                              01:25:13 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 16 Apr 2010 10:36:48 AM PDT
Last Seen                     Fri 16 Apr 2010 10:36:48 AM PDT
Local ID                      91cf5a80-abb3-45b4-b1ff-f8808814a1cd
Line Numbers                  

Raw Audit Messages            

node=nike type=AVC msg=audit(1271439408.17:13149): avc:  denied  { read } for  pid=4635 comm="hald-probe-volu" name="dm-5" dev=devtmpfs ino=282028235 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=nike type=SYSCALL msg=audit(1271439408.17:13149): arch=c000003e syscall=2 success=no exit=-13 a0=7ffff315fcf4 a1=0 a2=0 a3=8 items=0 ppid=1757 pid=4635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-volu" exe="/usr/libexec/hald-probe-volume" subj=system_u:system_r:hald_t:s0 key=(null)

Miroslav

F13 has

dev_manage_generic_blk_files(hald_t)

It was fixed in selinux-policy-3.6.32-109.fc12.

Maciej,
jut run

yum update selinux-policy-targeted