We create directories using the name of the instance under /var/lib and /var/log. But we don't own those directories, they are a shared system resource. There is nothing which prevents path name collisions with other RPM packages. We should only create our instance data in directories owned by our RPM package. We already do this with /usr/share/pki and /etc/sysconfig/pki. We should follow the same pattern and create /var/lib/pki and /var/log/pki in the RPM and then locate the instance directories under the package specific (e.g. pki) subdirectory. 

I haven't checked if there might be other files/directories we create which are in locations not owned by us but we should do a check by examining the install log and/or installation manifest. I'm aware of at least one file we create in a directory we do not own (/etc/sysconfig/<instance>) which is the tomcat6 configuration file, but we can't change that, it's convention used by tomcat6.

FWIW this problem was observed when trying to clean up some of the tomcat6 log file issues in bug 695284 and bug 701759 (one is a clone of the other)