LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

January 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL January 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: openafs packages for SL6
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 12 Jan 2011 15:44:15 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

Troy J Dawson wrote:
> Stephan Wiesand wrote:
>> Hi Troy,
>>
>> On Jan 12, 2011, at 17:57 , Troy Dawson wrote:
>>
>>> On the subject of openafs, we're found one selinux bug.
>>> If you have selinux turned on, then the /afs directory, by default, has the wrong selinux settings.
>>>
>>> To fix this you have to run
>>>  restorecon -v /afs
>>> (Actually you don't need the -v, but it's nice to see that something is done)
>>> And then you can start afs normally.
>>>
>>> We'll have something in place by this friday's Alpha/Beta rollout.
>>
>> it's certainly a bug, but I'm not sure where it's sitting. There are three ways I'm aware of to make sure the /afs mount point has the right context with rpm/yum:
>>
>> 1) guarantee that the policy rpm is installed after openafs client
>>  - not feasible, right?
>> 2) make sure restorecond is running when /afs is created, and change its configuration to care for /afs
>>  - even worse, and creating an unnecessary dependency on policycoreutils
>> 3) correct the context in openafs-client's %post
>>  - when using restorecon, creates an unnecessary dependency on policycoreutils
>>  - when using chcon, requires the package to know the "right" context to apply
>>
> 
> Found the solution
> 
> 4) put a --triggers on openafs-client that triggers on policycoreutils 
> (the package that has restorecond)
> 
> %triggerin  -n openafs-client -- policycoreutils
> /sbin/restorecon /afs
> 
> Since it is a trigger, it doesn't automatically pull in policycoreutils 
> as a dependancy.  This way if someone does have selinux installed, this 
> trigger will set /afs to the proper settings.  And if they don't have 
> selinux installed, nothing happens.
> 
> And, if you are wondering, I've tested to make sure this builds with the 
> proper dependencies, but I haven't yet tested to make sure it properly 
> fixes the problem.
> 
> Troy

And now I've tested it completely.  Having trigger do the work, works.

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV