selinux-policy-default（2:2.20231119-2）软件包内容详细介绍（2）

接前一篇文章：selinux-policy-default（2:2.20231119-2）软件包内容详细介绍（1）

4. 重点文件内容解析

（1）control/postist文件

文件内容如下：

#!/bin/sh
set -e
 
# summary of how this script can be called:
#        *  `configure' 
#        *  `abort-upgrade' 
#        *  `abort-remove' `in-favour' 
#          
#        *  `abort-remove'
#        *  `abort-deconfigure' `in-favour'
#            `removing'
#           
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
 
# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100
 
# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"
 
platform=$(hostnamectl chassis) || true
case "$platform" in
  handset)
# dont need staff role
    notdefault="$notdefault staff"
# dont need hardware specific things for non phone hardware
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need serious server daemons
    notdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemons
    notdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota"
  ;;
  vm)
# dont need hardware specific things for vms
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy"
  ;;
  desktop)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need portable stuff
    notdefault="$notdefault geoclue"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
  laptop)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
 
  *)
    echo "Unknown output from hostnamectl or not running systemd"
  ;;
esac
 
. /etc/selinux/config
 
case "$1" in
    configure)
	echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."
 
	# list all the modules that are already installed with our priority
	already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`
 
	# record which non-default modules do not yet exist for disabling them later
	to_disable=""
	for module in ${notdefault}; do
	installed=0
	for inst_module in ${already_installed}; do
	    if [ $module = $inst_module ]; then
		installed=1
		break
	    fi
	done
	if [ $installed -ne 1 ]; then
	    to_disable="$to_disable -d${module}"
	fi
	done
 
	# List all the modules that we are going to install
	to_install=""
	for module in `cat /usr/share/selinux/${flavour}/.modules`; do
	    to_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"
	done
 
	# Now build a list of the modules that we were shipping before but that we are not
	# anymore and that we need to remove
	to_remove=""
	for inst_module in $already_installed; do
	    remove_module=1
	    for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; do
		if [ $inst_module = $pkg_module ]; then
		    remove_module=0
		    break
		fi
	    done
	    if [ $remove_module -eq 1 ]; then
		to_remove="$to_remove -r${inst_module}"
	    fi
	done
 
	# Now load policy into the kernel if it is the configured policy
	# and we are running selinux
	if [ "${SELINUXTYPE}" != "${flavour}" ] || ! selinuxenabled; then
	    noreload='-n'
	fi
 
	ret=0
	semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$?
	if [ $ret -eq 0 ]; then
	    echo " done."
	else
	    echo " failed."
	    exit $ret
	fi
	FC=/etc/selinux/$flavour/contexts/files/file_contexts
	OLDFC=$FC.old
	if [ -f $OLDFC ]; then
	    OLDSORT=$(mktemp)
	    NEWSORT=$(mktemp)
	    sort < $OLDFC > $OLDSORT
	    sort < $FC > $NEWSORT
	    ORIGDIFF=$(mktemp)
	    diff $OLDSORT $NEWSORT | grep -v ^[0-9] > $ORIGDIFF || true
	    rm $OLDSORT $NEWSORT
	    if [ -s $ORIGDIFF ]; then
		DIFF=$(mktemp)
		cut -f2 -d\  < $ORIGDIFF > $DIFF
		GOOD=$(mktemp)
		grep -v ^/run $DIFF |grep -v ^/dev | grep "/.*/" > $GOOD || true
		if [ -s $GOOD ]; then
		    echo ""
		    echo "Relabeling matches for the following file context changes:"
		    cat $GOOD
		    echo ""
		    DIRS=$(cat $GOOD | sed -e 's/(\.\*\/).*$//' -e 's/(.*$//' -e 's/\/[^/]*$//' -e 's/\/[0-9a-z]*\[.*$//' | sort -u | /usr/libexec/selinux/remove-leaf-dirs)
		    echo The following directories: $DIRS
		    restorecon -R -v $DIRS || echo "restorecon gave an error but package is still ok"
		fi
		rm $GOOD
		PROB=$(mktemp)
		grep ^../run $ORIGDIFF > $PROB || true
		grep ^../dev $ORIGDIFF >> $PROB || true
		grep -v "/.*/" $ORIGDIFF >> $PROB || true
 
		if [ -s $PROB ]; then
		    echo "The following lines have changes that can't be automatically applied, consider"
		    echo "manually relabelling them if appropriate:"
		    cat $PROB
		fi
		rm $DIFF $PROB
	    else
		echo "No changes to file contexts"
	    fi
	    rm $ORIGDIFF $OLDFC
	fi
    ;;
 
    abort-upgrade|abort-remove|abort-deconfigure)
    ;;
 
    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac
 
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
 
# Automatically added by dh_installdeb/13.11.6
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/local.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/system.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.read.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.trans.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/active/file_contexts.local 2:2.20140421-10\~ -- "$@"
# End automatically added section
 
 
exit 0

control/postist文件总共189行，还是比较长的，内容也比较多。下边一段一段来看。

1）!#/bin/sh

这无需多言，#!/bin/sh是指此脚本使用/bin/sh来解释执行。

2）set -e

set -e是shell中的一个选项，其作用是在脚本执行过程中，一旦出现任何命令执行失败（返回非零的退出状态码），脚本就会立即退出，后续的脚本将不会得到执行的机会。

注意：

使用set -e，当一行命令中包含多个子命令时，即使某个子命令返回值不为0，但最终那一行命令的返回值为0，脚本也不会报错退出。

3）注释说明

接下来是一段如何运行postinst的具体说明。这一段如下：

# summary of how this script can be called:
#        *  `configure' 
#        *  `abort-upgrade' 
#        *  `abort-remove' `in-favour' 
#          
#        *  `abort-remove'
#        *  `abort-deconfigure' `in-favour'
#            `removing'
#           
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

这一段是关于如何调用此（postinst）脚本的摘要。更多详细信息，参阅http://www.debian.org/doc/debian-policy/或debian-policy包。

4）变量赋值语句

接下来是几个变量赋值语句，代码片段如下：

# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100
 
# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"

设置变量flavour的值为"default"，此值将被debian/rule中的二进制包flavour所代替。

设置变量priority的值为100。

设置变量nodefault的值为"aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"。这些值代表默认情况下不会被使能的模块，因为debian系统通常不需要这些模块。

5）platform变量赋值

接下来是以下一行代码：

platform=$(hostnamectl chassis) || true

虽然只有一行，但其中内容还是挺多的。主要涉及到hostnamectl命令。

关于hostnamectl命令的详解，请参考相关文章。在此列出笔者电脑中的相关信息，如下： 

$ hostnamectl 
 Static hostname: Ding-Perlis-MP26JBT0
       Icon name: computer
      Machine ID: ccd4c48fdb304652ad40edc548349078
         Boot ID: 11b3d0d94b7c40cb96663b7ff7ee8790
Operating System: DingOS 0.1 (ding-perlis-minsky-v00)
          Kernel: Linux 6.1.46-01-perlis001-2
    Architecture: x86-64
 Hardware Vendor: Lenovo
  Hardware Model: ThinkBook 14 G2 ITL
Firmware Version: F8CN46WW(V2.09)

命令用法：

$ hostnamectl -h
hostnamectl [OPTIONS...] COMMAND ...
 
Query or change system hostname.
 
Commands:
  status                 Show current hostname settings
  hostname [NAME]        Get/set system hostname
  icon-name [NAME]       Get/set icon name for host
  chassis [NAME]         Get/set chassis type for host
  deployment [NAME]      Get/set deployment environment for host
  location [NAME]        Get/set location for host
 
Options:
  -h --help              Show this help
     --version           Show package version
     --no-ask-password   Do not prompt for password
  -H --host=[USER@]HOST  Operate on remote host
  -M --machine=CONTAINER Operate on local container
     --transient         Only set transient hostname
     --static            Only set static hostname
     --pretty            Only set pretty hostname
     --json=pretty|short|off
                         Generate JSON output
 
See the hostnamectl(1) man page for details.

实际hostnamectl chassis命令的返回值：

$ hostnamectl chassis
 

6）根据platform变量的值决定notdefault的进一步值

代码片段如下：

case "$platform" in
  handset)
# dont need staff role
    notdefault="$notdefault staff"
# dont need hardware specific things for non phone hardware
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need serious server daemons
    notdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemons
    notdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota"
  ;;
  vm)
# dont need hardware specific things for vms
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy"
  ;;
  desktop)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need portable stuff
    notdefault="$notdefault geoclue"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
  laptop)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
 
  *)
    echo "Unknown output from hostnamectl or not running systemd"
  ;;
esac

postinst的其余代码请看下回。