On Mon, 2005-11-14 at 17:11 +0100, Stephan Wiesand wrote: > Works for me (updating the packages in %post during installation). > The policy changes are similar to something I'd tried successfully before. > I still get a warning when moving a file from AFS into /tmp (not in the > other direction, this now works). > > Having these changes in 4.2 would be good. > > NB when compared to CIFS: > > type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; > type afs_t, fs_type, root_dir_type, noexattrfile; I think a (local) sysadmin role should probably not go around changing AFS files. But I am neither an expert on SELinux.. > Did I get it right that this will only make a difference under the strict > policy? I have to learn more about SELinux... Unfortunately, the issues we have seen were with the "targeted" policy (which is why I only patched that one). In detail, /etc/init.d/afs (which runs under "targeted" as initrc_exec_t, like all other init.d files) was not allowed to mount afs, since nothing was known about that file system. The second problem came from the %post script of the policy RPM (i.e. triggered on updates), where fixfiles would get run on the parent of all home directories (these directories get noted in the file_context file). Best regards jan >