Troy J Dawson wrote:
> Stephan Wiesand wrote:
>> Hi Troy,
>>
>> On Jan 12, 2011, at 17:57 , Troy Dawson wrote:
>>
>>> On the subject of openafs, we're found one selinux bug.
>>> If you have selinux turned on, then the /afs directory, by default, has the wrong selinux settings.
>>>
>>> To fix this you have to run
>>> restorecon -v /afs
>>> (Actually you don't need the -v, but it's nice to see that something is done)
>>> And then you can start afs normally.
>>>
>>> We'll have something in place by this friday's Alpha/Beta rollout.
>>
>> it's certainly a bug, but I'm not sure where it's sitting. There are three ways I'm aware of to make sure the /afs mount point has the right context with rpm/yum:
>>
>> 1) guarantee that the policy rpm is installed after openafs client
>> - not feasible, right?
>> 2) make sure restorecond is running when /afs is created, and change its configuration to care for /afs
>> - even worse, and creating an unnecessary dependency on policycoreutils
>> 3) correct the context in openafs-client's %post
>> - when using restorecon, creates an unnecessary dependency on policycoreutils
>> - when using chcon, requires the package to know the "right" context to apply
>>
>
> Found the solution
>
> 4) put a --triggers on openafs-client that triggers on policycoreutils
> (the package that has restorecond)
>
> %triggerin -n openafs-client -- policycoreutils
> /sbin/restorecon /afs
>
> Since it is a trigger, it doesn't automatically pull in policycoreutils
> as a dependancy. This way if someone does have selinux installed, this
> trigger will set /afs to the proper settings. And if they don't have
> selinux installed, nothing happens.
>
> And, if you are wondering, I've tested to make sure this builds with the
> proper dependencies, but I haven't yet tested to make sure it properly
> fixes the problem.
>
> Troy
And now I've tested it completely. Having trigger do the work, works.
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________
|