On Mon, 2005-11-14 at 17:11 +0100, Stephan Wiesand wrote: 
> Works for me (updating the packages in %post during installation).
> The policy changes are similar to something I'd tried successfully before.
> I still get a warning when moving a file from AFS into /tmp (not in the 
> other direction, this now works).
> 
> Having these changes in 4.2 would be good.
> 
> NB when compared to CIFS:
> 
>    type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
>    type afs_t, fs_type, root_dir_type, noexattrfile;

I think a (local) sysadmin role should probably not go around changing
AFS files. But I am neither an expert on SELinux..

> Did I get it right that this will only make a difference under the strict 
> policy? I have to learn more about SELinux...

Unfortunately, the issues we have seen were with the "targeted" policy
(which is why I only patched that one). In detail,
/etc/init.d/afs (which runs under "targeted" as initrc_exec_t, like all
other init.d files) was not allowed to mount afs, since nothing was
known about that file system.

The second problem came from the %post script of the policy RPM (i.e.
triggered on updates), where fixfiles would get run on the parent of all
home directories (these directories get noted in the file_context file).

Best regards
jan
>