接前一篇文章：selinux-policy-default（2:2.20231119-2）軟件包內容詳細介紹（1）

4. 重點文件內容解析

（1）control/postist文件

文件內容如下：

#!/bin/sh
set -e# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"platform=$(hostnamectl chassis) || true
case "$platform" inhandset)
# dont need staff rolenotdefault="$notdefault staff"
# dont need hardware specific things for non phone hardwarenotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need serious server daemonsnotdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemonsnotdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota";;vm)
# dont need hardware specific things for vmsnotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy";;desktop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need portable stuffnotdefault="$notdefault geoclue"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;laptop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;*)echo "Unknown output from hostnamectl or not running systemd";;
esac. /etc/selinux/configcase "$1" inconfigure)echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."# list all the modules that are already installed with our priorityalready_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`# record which non-default modules do not yet exist for disabling them laterto_disable=""for module in ${notdefault}; doinstalled=0for inst_module in ${already_installed}; doif [ $module = $inst_module ]; theninstalled=1breakfidoneif [ $installed -ne 1 ]; thento_disable="$to_disable -d${module}"fidone# List all the modules that we are going to installto_install=""for module in `cat /usr/share/selinux/${flavour}/.modules`; doto_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"done# Now build a list of the modules that we were shipping before but that we are not# anymore and that we need to removeto_remove=""for inst_module in $already_installed; doremove_module=1for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; doif [ $inst_module = $pkg_module ]; thenremove_module=0breakfidoneif [ $remove_module -eq 1 ]; thento_remove="$to_remove -r${inst_module}"fidone# Now load policy into the kernel if it is the configured policy# and we are running selinuxif [ "${SELINUXTYPE}" != "${flavour}" ] || ! selinuxenabled; thennoreload='-n'firet=0semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$?if [ $ret -eq 0 ]; thenecho " done."elseecho " failed."exit $retfiFC=/etc/selinux/$flavour/contexts/files/file_contextsOLDFC=$FC.oldif [ -f $OLDFC ]; thenOLDSORT=$(mktemp)NEWSORT=$(mktemp)sort < $OLDFC > $OLDSORTsort < $FC > $NEWSORTORIGDIFF=$(mktemp)diff $OLDSORT $NEWSORT | grep -v ^[0-9] > $ORIGDIFF || truerm $OLDSORT $NEWSORTif [ -s $ORIGDIFF ]; thenDIFF=$(mktemp)cut -f2 -d\  < $ORIGDIFF > $DIFFGOOD=$(mktemp)grep -v ^/run $DIFF |grep -v ^/dev | grep "/.*/" > $GOOD || trueif [ -s $GOOD ]; thenecho ""echo "Relabeling matches for the following file context changes:"cat $GOODecho ""DIRS=$(cat $GOOD | sed -e 's/(\.\*\/).*$//' -e 's/(.*$//' -e 's/\/[^/]*$//' -e 's/\/[0-9a-z]*\[.*$//' | sort -u | /usr/libexec/selinux/remove-leaf-dirs)echo The following directories: $DIRSrestorecon -R -v $DIRS || echo "restorecon gave an error but package is still ok"firm $GOODPROB=$(mktemp)grep ^../run $ORIGDIFF > $PROB || truegrep ^../dev $ORIGDIFF >> $PROB || truegrep -v "/.*/" $ORIGDIFF >> $PROB || trueif [ -s $PROB ]; thenecho "The following lines have changes that can't be automatically applied, consider"echo "manually relabelling them if appropriate:"cat $PROBfirm $DIFF $PROBelseecho "No changes to file contexts"firm $ORIGDIFF $OLDFCfi;;abort-upgrade|abort-remove|abort-deconfigure);;*)echo "postinst called with unknown argument \`$1'" >&2exit 1;;
esac# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.# Automatically added by dh_installdeb/13.11.6
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/local.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/system.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.read.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.trans.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/active/file_contexts.local 2:2.20140421-10\~ -- "$@"
# End automatically added sectionexit 0

control/postist文件總共189行，還是比較長的，內容也比較多。下邊一段一段來看。

1）!#/bin/sh

這無需多言，#!/bin/sh是指此腳本使用/bin/sh來解釋執行。

2）set -e

set -e是shell中的一個選項，其作用是在腳本執行過程中，一旦出現任何命令執行失敗（返回非零的退出狀態碼），腳本就會立即退出，后續的腳本將不會得到執行的機會。

注意：

使用set -e，當一行命令中包含多個子命令時，即使某個子命令返回值不為0，但最終那一行命令的返回值為0，腳本也不會報錯退出。

3）注釋說明

接下來是一段如何運行postinst的具體說明。這一段如下：

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

這一段是關于如何調用此（postinst）腳本的摘要。更多詳細信息，參閱http://www.debian.org/doc/debian-policy/或debian-policy包。

4）變量賦值語句

接下來是幾個變量賦值語句，代碼片段如下：

# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"

設置變量flavour的值為"default"，此值將被debian/rule中的二進制包flavour所代替。

設置變量priority的值為100。

設置變量nodefault的值為"aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"。這些值代表默認情況下不會被使能的模塊，因為debian系統通常不需要這些模塊。

5）platform變量賦值

接下來是以下一行代碼：

platform=$(hostnamectl chassis) || true

雖然只有一行，但其中內容還是挺多的。主要涉及到hostnamectl命令。

關于hostnamectl命令的詳解，請參考相關文章。在此列出筆者電腦中的相關信息，如下：?

$ hostnamectl Static hostname: Ding-Perlis-MP26JBT0Icon name: computerMachine ID: ccd4c48fdb304652ad40edc548349078Boot ID: 11b3d0d94b7c40cb96663b7ff7ee8790
Operating System: DingOS 0.1 (ding-perlis-minsky-v00)Kernel: Linux 6.1.46-01-perlis001-2Architecture: x86-64Hardware Vendor: LenovoHardware Model: ThinkBook 14 G2 ITL
Firmware Version: F8CN46WW(V2.09)

命令用法：

$ hostnamectl -h
hostnamectl [OPTIONS...] COMMAND ...Query or change system hostname.Commands:status                 Show current hostname settingshostname [NAME]        Get/set system hostnameicon-name [NAME]       Get/set icon name for hostchassis [NAME]         Get/set chassis type for hostdeployment [NAME]      Get/set deployment environment for hostlocation [NAME]        Get/set location for hostOptions:-h --help              Show this help--version           Show package version--no-ask-password   Do not prompt for password-H --host=[USER@]HOST  Operate on remote host-M --machine=CONTAINER Operate on local container--transient         Only set transient hostname--static            Only set static hostname--pretty            Only set pretty hostname--json=pretty|short|offGenerate JSON outputSee the hostnamectl(1) man page for details.

實際hostnamectl chassis命令的返回值：

$ hostnamectl chassis

6）根據platform變量的值決定notdefault的進一步值

代碼片段如下：

case "$platform" inhandset)
# dont need staff rolenotdefault="$notdefault staff"
# dont need hardware specific things for non phone hardwarenotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need serious server daemonsnotdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemonsnotdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota";;vm)
# dont need hardware specific things for vmsnotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy";;desktop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need portable stuffnotdefault="$notdefault geoclue"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;laptop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;*)echo "Unknown output from hostnamectl or not running systemd";;
esac

postinst的其余代碼請看下回。