Stephan Wiesand wrote:
> Hi Troy,
> 
> On Jan 12, 2011, at 17:57 , Troy Dawson wrote:
> 
>> On the subject of openafs, we're found one selinux bug.
>> If you have selinux turned on, then the /afs directory, by default, has the wrong selinux settings.
>>
>> To fix this you have to run
>>  restorecon -v /afs
>> (Actually you don't need the -v, but it's nice to see that something is done)
>> And then you can start afs normally.
>>
>> We'll have something in place by this friday's Alpha/Beta rollout.
> 
> 
> it's certainly a bug, but I'm not sure where it's sitting. There are three ways I'm aware of to make sure the /afs mount point has the right context with rpm/yum:
> 
> 1) guarantee that the policy rpm is installed after openafs client
>  - not feasible, right?
> 2) make sure restorecond is running when /afs is created, and change its configuration to care for /afs
>  - even worse, and creating an unnecessary dependency on policycoreutils
> 3) correct the context in openafs-client's %post
>  - when using restorecon, creates an unnecessary dependency on policycoreutils
>  - when using chcon, requires the package to know the "right" context to apply
> 

Found the solution

4) put a --triggers on openafs-client that triggers on policycoreutils 
(the package that has restorecond)

%triggerin  -n openafs-client -- policycoreutils
/sbin/restorecon /afs

Since it is a trigger, it doesn't automatically pull in policycoreutils 
as a dependancy.  This way if someone does have selinux installed, this 
trigger will set /afs to the proper settings.  And if they don't have 
selinux installed, nothing happens.

And, if you are wondering, I've tested to make sure this builds with the 
proper dependencies, but I haven't yet tested to make sure it properly 
fixes the problem.

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________