SELinux type getting set incorrectly for files uploaded VIA a Rails application

Most likely your application is moving 'mv' the object from /tmp, or /var/tmp to the destination location.

By default when a object is moved with 'mv', then so is its security metadata. Thus the object ends up at the destination with old and inaccurate security metadata. Running 'restorecon' on the destination objects resets the contexts to what the policy thinks it should be.

There are various ways you can deal with this. Either allow your webapp to read the object with the inaccurate context or tell your webapp to either use 'mv' with the -Z option, or use 'cp' instead. (the 'cp' command copies the object, and as a consequence the target object ends up with the appropriate security metadata, usually mostly inherited from the targets parent directory.

So apparently SELinux suppresses some error messages...

In order to debug this I had to run

semodule -DB

This rebuilds/restarts the local policy with the disable "don't log" flag. Once "don't log" is disabled, the error messages show up in the audit log and you can add a new policy using the regular:

sealert -a /var/log/audit.log

Then find the audit2allow command for the error in question.

You can set your logging back to normal after by running

semodule -B