Hi Jan, Jarek, On Mon, 2 May 2005, Jan Iven wrote: > On Mon, 2005-05-02 at 10:13, Stephan Wiesand wrote: > .. >> No, it doesn't. It looks as though an "echo 0 >>/selinux/enforce" does, >> though. Is SELinux enabled and set to enforcing on your test system? > > enabled+enforcing, but in 'targeted' mode only. Same here. That's enough to make mv's from of files from /tmp with the default context (set upon the touch in jarek's example) into AFS fail. It's not an openafs issue, I believe. And it's a feature, not a bug. From RH's SELinux Guide: mv The file retains its original label. This may cause problems, confusion, or minor insecurity. cp A plain copy creates the new file following the default behavior based on the domain of the creating process (cp) and the type of the target directory. cp -Z user:role:type The new file is relabeled as it is created based on the command line option. The extended GNU option --context is the same as -Z. And indeed cp from /tmp to afs succeeds, while cp -Z fails. It's just that w.r.t. SELinux contexts, cp (behaving like touch, even with the -a switch) and mv have different default semantics >> Is anyone reading this sufficiently familiar with SELinux to know >> how to cope with this yet? I'm afraid AFS won't have extended attributes >> anytime soon... > > Are not necessarily required, the > genfs_contexts mechanism from /etc/selinux/targeted/src/policy should be > enough. Somebody already had put together a "policy" for AFS clients: > > https://lists.openafs.org/pipermail/openafs-info/2003-January/007817.html Eventually, having such a policy for SL would probably be good. But I'm far from understanding SELinux well enough to implement or even try anything... Cheers, Stephan -- ---------------------------------------------------- | Stephan Wiesand | | | | | | DESY - DV - | phone +49 33762 7 7370 | | Platanenallee 6 | fax +49 33762 7 7216 | | 15738 Zeuthen | | | Germany | | ----------------------------------------------------