接前一篇文章：selinux-policy-default（2:2.20231119-2）软件包内容详细介绍（1）

4. 重点文件内容解析

（1）control/postist文件

文件内容如下：

#!/bin/sh
set -e# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"platform=$(hostnamectl chassis) || true
case "$platform" inhandset)
# dont need staff rolenotdefault="$notdefault staff"
# dont need hardware specific things for non phone hardwarenotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need serious server daemonsnotdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemonsnotdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota";;vm)
# dont need hardware specific things for vmsnotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy";;desktop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need portable stuffnotdefault="$notdefault geoclue"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;laptop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;*)echo "Unknown output from hostnamectl or not running systemd";;
esac. /etc/selinux/configcase "$1" inconfigure)echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."# list all the modules that are already installed with our priorityalready_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`# record which non-default modules do not yet exist for disabling them laterto_disable=""for module in ${notdefault}; doinstalled=0for inst_module in ${already_installed}; doif [ $module = $inst_module ]; theninstalled=1breakfidoneif [ $installed -ne 1 ]; thento_disable="$to_disable -d${module}"fidone# List all the modules that we are going to installto_install=""for module in `cat /usr/share/selinux/${flavour}/.modules`; doto_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"done# Now build a list of the modules that we were shipping before but that we are not# anymore and that we need to removeto_remove=""for inst_module in $already_installed; doremove_module=1for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; doif [ $inst_module = $pkg_module ]; thenremove_module=0breakfidoneif [ $remove_module -eq 1 ]; thento_remove="$to_remove -r${inst_module}"fidone# Now load policy into the kernel if it is the configured policy# and we are running selinuxif [ "${SELINUXTYPE}" != "${flavour}" ] || ! selinuxenabled; thennoreload='-n'firet=0semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$?if [ $ret -eq 0 ]; thenecho " done."elseecho " failed."exit $retfiFC=/etc/selinux/$flavour/contexts/files/file_contextsOLDFC=$FC.oldif [ -f $OLDFC ]; thenOLDSORT=$(mktemp)NEWSORT=$(mktemp)sort < $OLDFC > $OLDSORTsort < $FC > $NEWSORTORIGDIFF=$(mktemp)diff $OLDSORT $NEWSORT | grep -v ^[0-9] > $ORIGDIFF || truerm $OLDSORT $NEWSORTif [ -s $ORIGDIFF ]; thenDIFF=$(mktemp)cut -f2 -d\  < $ORIGDIFF > $DIFFGOOD=$(mktemp)grep -v ^/run $DIFF |grep -v ^/dev | grep "/.*/" > $GOOD || trueif [ -s $GOOD ]; thenecho ""echo "Relabeling matches for the following file context changes:"cat $GOODecho ""DIRS=$(cat $GOOD | sed -e 's/(\.\*\/).*$//' -e 's/(.*$//' -e 's/\/[^/]*$//' -e 's/\/[0-9a-z]*\[.*$//' | sort -u | /usr/libexec/selinux/remove-leaf-dirs)echo The following directories: $DIRSrestorecon -R -v $DIRS || echo "restorecon gave an error but package is still ok"firm $GOODPROB=$(mktemp)grep ^../run $ORIGDIFF > $PROB || truegrep ^../dev $ORIGDIFF >> $PROB || truegrep -v "/.*/" $ORIGDIFF >> $PROB || trueif [ -s $PROB ]; thenecho "The following lines have changes that can't be automatically applied, consider"echo "manually relabelling them if appropriate:"cat $PROBfirm $DIFF $PROBelseecho "No changes to file contexts"firm $ORIGDIFF $OLDFCfi;;abort-upgrade|abort-remove|abort-deconfigure);;*)echo "postinst called with unknown argument \`$1'" >&2exit 1;;
esac# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.# Automatically added by dh_installdeb/13.11.6
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/local.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/system.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.read.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.trans.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/active/file_contexts.local 2:2.20140421-10\~ -- "$@"
# End automatically added sectionexit 0

control/postist文件总共189行，还是比较长的，内容也比较多。下边一段一段来看。

1）!#/bin/sh

这无需多言，#!/bin/sh是指此脚本使用/bin/sh来解释执行。

2）set -e

set -e是shell中的一个选项，其作用是在脚本执行过程中，一旦出现任何命令执行失败（返回非零的退出状态码），脚本就会立即退出，后续的脚本将不会得到执行的机会。

注意：

使用set -e，当一行命令中包含多个子命令时，即使某个子命令返回值不为0，但最终那一行命令的返回值为0，脚本也不会报错退出。

3）注释说明

接下来是一段如何运行postinst的具体说明。这一段如下：

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

这一段是关于如何调用此（postinst）脚本的摘要。更多详细信息，参阅http://www.debian.org/doc/debian-policy/或debian-policy包。

4）变量赋值语句

接下来是几个变量赋值语句，代码片段如下：

# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"

设置变量flavour的值为"default"，此值将被debian/rule中的二进制包flavour所代替。

设置变量priority的值为100。

设置变量nodefault的值为"aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"。这些值代表默认情况下不会被使能的模块，因为debian系统通常不需要这些模块。

5）platform变量赋值

接下来是以下一行代码：

platform=$(hostnamectl chassis) || true

虽然只有一行，但其中内容还是挺多的。主要涉及到hostnamectl命令。

关于hostnamectl命令的详解，请参考相关文章。在此列出笔者电脑中的相关信息，如下： 

$ hostnamectl Static hostname: Ding-Perlis-MP26JBT0Icon name: computerMachine ID: ccd4c48fdb304652ad40edc548349078Boot ID: 11b3d0d94b7c40cb96663b7ff7ee8790
Operating System: DingOS 0.1 (ding-perlis-minsky-v00)Kernel: Linux 6.1.46-01-perlis001-2Architecture: x86-64Hardware Vendor: LenovoHardware Model: ThinkBook 14 G2 ITL
Firmware Version: F8CN46WW(V2.09)

命令用法：

$ hostnamectl -h
hostnamectl [OPTIONS...] COMMAND ...Query or change system hostname.Commands:status                 Show current hostname settingshostname [NAME]        Get/set system hostnameicon-name [NAME]       Get/set icon name for hostchassis [NAME]         Get/set chassis type for hostdeployment [NAME]      Get/set deployment environment for hostlocation [NAME]        Get/set location for hostOptions:-h --help              Show this help--version           Show package version--no-ask-password   Do not prompt for password-H --host=[USER@]HOST  Operate on remote host-M --machine=CONTAINER Operate on local container--transient         Only set transient hostname--static            Only set static hostname--pretty            Only set pretty hostname--json=pretty|short|offGenerate JSON outputSee the hostnamectl(1) man page for details.

实际hostnamectl chassis命令的返回值：

$ hostnamectl chassis

6）根据platform变量的值决定notdefault的进一步值

代码片段如下：

case "$platform" inhandset)
# dont need staff rolenotdefault="$notdefault staff"
# dont need hardware specific things for non phone hardwarenotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need serious server daemonsnotdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemonsnotdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota";;vm)
# dont need hardware specific things for vmsnotdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy";;desktop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need portable stuffnotdefault="$notdefault geoclue"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;laptop)
# dont need VM thingsnotdefault="$notdefault hypervkvp"
# dont need handset stuffnotdefault="$notdefault eg25manager feedbackd iiosensorproxy";;*)echo "Unknown output from hostnamectl or not running systemd";;
esac

postinst的其余代码请看下回。