Unrelated: openafs-1.6.5.1 SRPM has not been pushed to 6.5/SRPMS/sl6 After updating to selinux-policy 3.7.19-231 our AFS server processes failed to start with a slew of AVCs in the audit.log. There appears to be a multitude of issues with the AFS SELinux policy shipped by TUV which were triggered by this update. I set our servers in to permissive which resolved allowed the processes to come up but I'm not sure how to approach a real fix for this issue. My initial question is this: was AFS ever supposed to run confined to begin with? I don't think it was, as files created by the processes themselves before this policy were labeled with the unconfined_u user. If they weren't, a workaround may be to reset the server executables to bin_t to prevent them from transitioning to confined contexts. SELinux fs contexts greped for afs: /afs directory system_u:object_r:mnt_t:s0 /etc/rc\.d/init\.d/afs regular file system_u:object_r:afs_initrc_exec_t:s0 /etc/rc\.d/init\.d/openafs-client regular file system_u:object_r:afs_initrc_exec_t:s0 /usr/afs/bin/bosserver regular file system_u:object_r:afs_bosserver_exec_t:s0 /usr/afs/bin/fileserver regular file system_u:object_r:afs_fsserver_exec_t:s0 /usr/afs/bin/kaserver regular file system_u:object_r:afs_kaserver_exec_t:s0 /usr/afs/bin/ptserver regular file system_u:object_r:afs_ptserver_exec_t:s0 /usr/afs/bin/salvager regular file system_u:object_r:afs_fsserver_exec_t:s0 /usr/afs/bin/vlserver regular file system_u:object_r:afs_vlserver_exec_t:s0 /usr/afs/bin/volserver regular file system_u:object_r:afs_fsserver_exec_t:s0 /usr/afs/db directory system_u:object_r:afs_dbdir_t:s0 /usr/afs/db/ka.* regular file system_u:object_r:afs_ka_db_t:s0 /usr/afs/db/pr.* regular file system_u:object_r:afs_pt_db_t:s0 /usr/afs/db/vl.* regular file system_u:object_r:afs_vl_db_t:s0 /usr/afs/etc(/.*)? all files system_u:object_r:afs_config_t:s0 /usr/afs/local(/.*)? all files system_u:object_r:afs_config_t:s0 /usr/afs/logs(/.*)? all files system_u:object_r:afs_logfile_t:s0 /usr/sbin/afsd regular file system_u:object_r:afs_exec_t:s0 /usr/vice/cache(/.*)? all files system_u:object_r:afs_cache_t:s0 /usr/vice/etc/afsd regular file system_u:object_r:afs_exec_t:s0 /var/cache/afs(/.*)? all files system_u:object_r:afs_cache_t:s0 /vicepa all files system_u:object_r:afs_files_t:s0 /vicepb all files system_u:object_r:afs_files_t:s0 /vicepc all files system_u:object_r:afs_files_t:s0 Only some of the AFS executables are labeled with execution contexts, notably da{fileserver,volserver,salvager} are not labeled, nor is buserver. Attached is a sampling of the audit logs from my DB and FS servers which shows many denied actions from the various AFS processes. ~Aaron