Some denials are caused by SELinux constraints—additional restrictions imposed by the SELinux policy that are not purely based on the SELinux types, but also on the SELinux role and SELinux user. This is often not clear from the denial.
The audit2why application helps in informing developers that a denial came from a constraint violation:
~# ausearch -m avc -ts recent | grep type=AVC | audit2why type=AVC msg=audit(1401134596.932:62843): avc: denied { search } for pid=19384 comm="mount.nfs4" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
This is, however, not always the case, so we need to find a way to investigate...