selinux-policy-default（2:2.20231119-2）软件包内容详细介绍（3）

接前一篇文章：selinux-policy-default（2:2.20231119-2）软件包内容详细介绍（2）

4. 重点文件内容解析

（1）control/postist文件

上一回讲解了postinst文件的前一部分内容，本回继续往下解析。为了便于理解，再次贴出postinst完整代码：

#!/bin/sh
set -e
 
# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
 
# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100
 
# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"
 
platform=$(hostnamectl chassis) || true
case "$platform" in
  handset|watch|embedded)
# dont need staff role
    notdefault="$notdefault staff"
# dont need hardware specific things for non phone hardware
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need serious server daemons
    notdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemons
    notdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota"
  ;;
  vm|container)
# dont need hardware specific things for vms
    notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy"
  ;;
  desktop)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need portable stuff
    notdefault="$notdefault geoclue"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
  laptop|convertible)
# dont need VM things
    notdefault="$notdefault hypervkvp"
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
  server)
# dont need handset stuff
    notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
  ;;
  *)
    echo "Unknown output from hostnamectl or not running systemd"
  ;;
esac
 
. /etc/selinux/config
 
case "$1" in
    configure)
	echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."
 
	# list all the modules that are already installed with our priority
	already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`
 
	# record which non-default modules do not yet exist for disabling them later
	to_disable=""
	for module in ${notdefault}; do
	installed=0
	for inst_module in ${already_installed}; do
	    if [ $module = $inst_module ]; then
		installed=1
		break
	    fi
	done
	if [ $installed -ne 1 ]; then
	    to_disable="$to_disable -d${module}"
	fi
	done
 
	# List all the modules that we are going to install
	to_install=""
	for module in `cat /usr/share/selinux/${flavour}/.modules`; do
	    to_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"
	done
 
	# Now build a list of the modules that we were shipping before but that we are not
	# anymore and that we need to remove
	to_remove=""
	for inst_module in $already_installed; do
	    remove_module=1
	    for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; do
		if [ $inst_module = $pkg_module ]; then
		    remove_module=0
		    break
		fi
	    done
	    if [ $remove_module -eq 1 ]; then
		to_remove="$to_remove -r${inst_module}"
	    fi
	done
 
	# Now load policy into the kernel if it is the configured policy
	# and we are running selinux
	if [ "${SELINUXTYPE}" != "${flavour}" ] || ! selinuxenabled; then
	    noreload='-n'
	fi
 
	ret=0
	semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$?
	if [ $ret -eq 0 ]; then
	    echo " done."
	else
	    echo " failed."
	    exit $ret
	fi
	FC=/etc/selinux/$flavour/contexts/files/file_contexts
	OLDFC=$FC.old
	if [ -f $OLDFC ]; then
	    OLDSORT=$(mktemp)
	    NEWSORT=$(mktemp)
	    sort < $OLDFC > $OLDSORT
	    sort < $FC > $NEWSORT
	    ORIGDIFF=$(mktemp)
	    diff $OLDSORT $NEWSORT | grep -v ^[0-9] > $ORIGDIFF || true
	    rm $OLDSORT $NEWSORT
	    if [ -s $ORIGDIFF ]; then
		DIFF=$(mktemp)
		cut -f2 -d\  < $ORIGDIFF > $DIFF
		GOOD=$(mktemp)
		grep -v ^/run $DIFF |grep -v ^/dev | grep "/.*/" > $GOOD || true
		if [ -s $GOOD ]; then
		    echo ""
		    echo "Relabeling matches for the following file context changes:"
		    cat $GOOD
		    echo ""
		    DIRS=$(cat $GOOD | sed -e 's/(\.\*\/).*$//' -e 's/(.*$//' -e 's/\/[^/]*$//' -e 's/\/[0-9a-z]*\[.*$//' | sort -u | /usr/libexec/selinux/remove-leaf-dirs)
		    echo The following directories: $DIRS
		    restorecon -R -v $DIRS || echo "restorecon gave an error but package is still ok"
		fi
		rm $GOOD
		PROB=$(mktemp)
		grep ^../run $ORIGDIFF > $PROB || true
		grep ^../dev $ORIGDIFF >> $PROB || true
		grep -v "/.*/" $ORIGDIFF >> $PROB || true
 
		if [ -s $PROB ]; then
		    echo "The following lines have changes that can't be automatically applied, consider"
		    echo "manually relabelling them if appropriate:"
		    cat $PROB
		fi
		rm $DIFF $PROB
	    else
		echo "No changes to file contexts"
	    fi
	    rm $ORIGDIFF $OLDFC
	fi
    ;;
 
    abort-upgrade|abort-remove|abort-deconfigure)
    ;;
 
    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac
 
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
 
# Automatically added by dh_installdeb/13.11.8
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/local.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/system.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.read.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.trans.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/active/file_contexts.local 2:2.20140421-10\~ -- "$@"
# End automatically added section
 
 
exit 0

7）执行/etc/selinux/config

接下来的一行代码是执行/etc/selinux/config：

. /etc/selinux/config

/etc/selinux/config文件的代码如下：

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=default
 
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

/etc/selinux/config文件控制系统上SELinux的状态。

SELINUX项

SELINUX可以取以下三个值之一：

• enforcing —— SELinux安全策略已强制执行。
• permissive —— SELinux打印警告但并不强制执行。
• disabled —— 未加载SELinux策略。

SELINUXTYPE项

SELINUTYPE可以取以下两个值之一：

• default —— 相当于旧（版本）的strict和target策略。
• mls —— 多级安全（用于军事和教育用途）。
• src —— 从源代码生成的自定义策略。

SETLOCALDEFS项

检查本地定义更改。

8）进入configure分支

postinst脚本代码接下来走进了case分支。由于这部分代码较长，因此分段来看。

case "$1" in
    configure)

$1是调用postinst脚本时传入的第1个参数（从0开始）。参考上一回3）中的注释：

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package

最主要的就是configure。这里也是将参数1分成了两类：configure和其它。先来看configure分支中的代码。

9）提示信息

通过以下一行代码在终端给出提示信息：

echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."

flavour之前赋值为default：

flavour="default"

那么此处在终端显示的提示信息为“Updating selinux default policy (this step might take a moment)...”。

10）列出当前策略下已安装模块并赋值给already_installed

# list all the modules that are already installed with our priority
already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`

semodule详细介绍参见笔者这篇博客：

semodule工具详解（1）

-s选项代表要操作的存储的名称；flavor是default；--list-modules选项的作用是显示已安装模块的列表（基本模块除外）。

单独执行这一部分命令的结果如下：

$ sudo semodule -s default --list-modules=full 
libsemanage.semanage_create_store: Could not create module store at /var/lib/selinux/default. (No such file or directory).
libsemanage.semanage_direct_connect: could not establish direct connection (No such file or directory).
semodule:  Could not connect to policy handler

手工创建/var/lib/selinux/default文件：

$ sudo mkdir  /var/lib/selinux
$ sudo touch /var/lib/selinux/defaut

再次执行以上命令，结果如下：

$ sudo semodule -s default --list-modules=full 
No modules.

笔者的电脑不是debian系统，因此结果并非预期。但并不耽误对于postinst脚本的分析。

11）记录哪些非默认模块还不在notdefault列表中，以便以后禁用

代码片段如下：

    # record which non-default modules do not yet exist for disabling them later
	to_disable=""
	for module in ${notdefault}; do
	installed=0
	for inst_module in ${already_installed}; do
	    if [ $module = $inst_module ]; then
		installed=1
		break
	    fi
	done
	if [ $installed -ne 1 ]; then
	    to_disable="$to_disable -d${module}"
	fi
	done

将目前系统已安装、但应该不安装的模块记录到to_disable变量中。

12）列出要安装的所有模块

代码片段如下：

    # List all the modules that we are going to install
	to_install=""
	for module in `cat /usr/share/selinux/${flavour}/.modules`; do
	    to_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"
	done

由于是postinst脚本，因此/usr/share/selinux/这个目录对应的实际上是此deb包中的data/usr/share/selinux目录。该目录下的内容为：

$ ls
default
 
$ ls default/
accountsd.pp.bz2        feedbackd.pp.bz2         ncftool.pp.bz2         setroubleshoot.pp.bz2
acct.pp.bz2             fetchmail.pp.bz2         nessus.pp.bz2          seunshare.pp.bz2
acpi.pp.bz2             finger.pp.bz2            netlabel.pp.bz2        shibboleth.pp.bz2
afs.pp.bz2              firewalld.pp.bz2         netutils.pp.bz2        shorewall.pp.bz2
aide.pp.bz2             fprintd.pp.bz2           networkmanager.pp.bz2  shutdown.pp.bz2
aisexec.pp.bz2          ftp.pp.bz2               nis.pp.bz2             slocate.pp.bz2
alsa.pp.bz2             fwupd.pp.bz2             nscd.pp.bz2            slpd.pp.bz2
amanda.pp.bz2           games.pp.bz2             nsd.pp.bz2             slrnpull.pp.bz2
amavis.pp.bz2           gatekeeper.pp.bz2        nslcd.pp.bz2           smartmon.pp.bz2
amtu.pp.bz2             gdomap.pp.bz2            ntop.pp.bz2            smokeping.pp.bz2
apache.pp.bz2           geoclue.pp.bz2           ntp.pp.bz2             smstools.pp.bz2
apcupsd.pp.bz2          getty.pp.bz2             numad.pp.bz2           snmp.pp.bz2
aptcacher.pp.bz2        gitosis.pp.bz2           nut.pp.bz2             snort.pp.bz2
apt.pp.bz2              git.pp.bz2               nx.pp.bz2              sosreport.pp.bz2
arpwatch.pp.bz2         glance.pp.bz2            obex.pp.bz2            soundserver.pp.bz2
asterisk.pp.bz2         glusterfs.pp.bz2         oddjob.pp.bz2          spamassassin.pp.bz2
auditadm.pp.bz2         gnomeclock.pp.bz2        oident.pp.bz2          squid.pp.bz2
automount.pp.bz2        gnome.pp.bz2             openca.pp.bz2          ssh.pp.bz2
avahi.pp.bz2            gpg.pp.bz2               openct.pp.bz2          sssd.pp.bz2
awstats.pp.bz2          gpm.pp.bz2               openhpi.pp.bz2         staff.pp.bz2
backup.pp.bz2           gpsd.pp.bz2              openvpn.pp.bz2         stunnel.pp.bz2
bacula.pp.bz2           guest.pp.bz2             openvswitch.pp.bz2     sudo.pp.bz2
base.pp.bz2             hddtemp.pp.bz2           pacemaker.pp.bz2       su.pp.bz2
bind.pp.bz2             hostname.pp.bz2          pads.pp.bz2            svnserve.pp.bz2
bird.pp.bz2             hypervkvp.pp.bz2         passenger.pp.bz2       switcheroo.pp.bz2
bitlbee.pp.bz2          i18n_input.pp.bz2        pcscd.pp.bz2           sxid.pp.bz2
blueman.pp.bz2          icecast.pp.bz2           pegasus.pp.bz2         sympa.pp.bz2
bluetooth.pp.bz2        ifplugd.pp.bz2           perdition.pp.bz2       sysstat.pp.bz2
boinc.pp.bz2            iiosensorproxy.pp.bz2    pingd.pp.bz2           systemtap.pp.bz2
bootloader.pp.bz2       inetd.pp.bz2             pkcs.pp.bz2            tcpd.pp.bz2
brctl.pp.bz2            inn.pp.bz2               plymouthd.pp.bz2       tcsd.pp.bz2
bubblewrap.pp.bz2       iodine.pp.bz2            policykit.pp.bz2       telepathy.pp.bz2
bugzilla.pp.bz2         ipsec.pp.bz2             portmap.pp.bz2         telnet.pp.bz2
cachefilesd.pp.bz2      iptables.pp.bz2          portreserve.pp.bz2     tftp.pp.bz2
calamaris.pp.bz2        ircd.pp.bz2              portslave.pp.bz2       tgtd.pp.bz2
canna.pp.bz2            irc.pp.bz2               postfixpolicyd.pp.bz2  thunderbird.pp.bz2
cdrecord.pp.bz2         irqbalance.pp.bz2        postfix.pp.bz2         thunderbolt.pp.bz2
certbot.pp.bz2          iscsi.pp.bz2             postgresql.pp.bz2      timidity.pp.bz2
certmonger.pp.bz2       isns.pp.bz2              postgrey.pp.bz2        tmpreaper.pp.bz2
cfengine.pp.bz2         jabber.pp.bz2            powerprofiles.pp.bz2   tor.pp.bz2
cgroup.pp.bz2           java.pp.bz2              ppp.pp.bz2             transproxy.pp.bz2
chromium.pp.bz2         kdump.pp.bz2             prelink.pp.bz2         tripwire.pp.bz2
chronyd.pp.bz2          kerberos.pp.bz2          prelude.pp.bz2         tuned.pp.bz2
clamav.pp.bz2           kerneloops.pp.bz2        privoxy.pp.bz2         tvtime.pp.bz2
clock.pp.bz2            keystone.pp.bz2          procmail.pp.bz2        tzdata.pp.bz2
cobbler.pp.bz2          kismet.pp.bz2            psad.pp.bz2            ucspitcp.pp.bz2
cockpit.pp.bz2          ksmtuned.pp.bz2          publicfile.pp.bz2      ulogd.pp.bz2
collectd.pp.bz2         l2tp.pp.bz2              pulseaudio.pp.bz2      uml.pp.bz2
colord.pp.bz2           ldap.pp.bz2              puppet.pp.bz2          unconfined.pp.bz2
comsat.pp.bz2           lightsquid.pp.bz2        pwauth.pp.bz2          unprivuser.pp.bz2
condor.pp.bz2           likewise.pp.bz2          pxe.pp.bz2             updfstab.pp.bz2
container.pp.bz2        lircd.pp.bz2             pyzor.pp.bz2           uptime.pp.bz2
corosync.pp.bz2         livecd.pp.bz2            qemu.pp.bz2            usbmodules.pp.bz2
couchdb.pp.bz2          lldpad.pp.bz2            qmail.pp.bz2           usbmuxd.pp.bz2
courier.pp.bz2          loadkeys.pp.bz2          qpid.pp.bz2            userhelper.pp.bz2
cpucontrol.pp.bz2       logadm.pp.bz2            quantum.pp.bz2         usernetctl.pp.bz2
cpufreqselector.pp.bz2  logrotate.pp.bz2         quota.pp.bz2           uucp.pp.bz2
cron.pp.bz2             logwatch.pp.bz2          rabbitmq.pp.bz2        uuidd.pp.bz2
ctdb.pp.bz2             lowmemorymonitor.pp.bz2  radius.pp.bz2          uwimap.pp.bz2
cups.pp.bz2             lpd.pp.bz2               radvd.pp.bz2           varnishd.pp.bz2
cvs.pp.bz2              lvm.pp.bz2               raid.pp.bz2            vbetool.pp.bz2
cyphesis.pp.bz2         mailman.pp.bz2           rasdaemon.pp.bz2       vdagent.pp.bz2
cyrus.pp.bz2            man2html.pp.bz2          razor.pp.bz2           virt.pp.bz2
daemontools.pp.bz2      mandb.pp.bz2             rdisc.pp.bz2           vlock.pp.bz2
dante.pp.bz2            matrixd.pp.bz2           realmd.pp.bz2          vmware.pp.bz2
dbadm.pp.bz2            mediawiki.pp.bz2         redis.pp.bz2           vnstatd.pp.bz2
dbskk.pp.bz2            memcached.pp.bz2         remotelogin.pp.bz2     vpn.pp.bz2
ddclient.pp.bz2         memlockd.pp.bz2          rlogin.pp.bz2          watchdog.pp.bz2
devicekit.pp.bz2        milter.pp.bz2            rngd.pp.bz2            wdmd.pp.bz2
dhcp.pp.bz2             minidlna.pp.bz2          rpcbind.pp.bz2         webadm.pp.bz2
dictd.pp.bz2            minissdpd.pp.bz2         rpc.pp.bz2             webalizer.pp.bz2
dirmngr.pp.bz2          modemmanager.pp.bz2      rshd.pp.bz2            wine.pp.bz2
distcc.pp.bz2           mojomojo.pp.bz2          rssh.pp.bz2            wireshark.pp.bz2
djbdns.pp.bz2           mongodb.pp.bz2           rsync.pp.bz2           wm.pp.bz2
dkim.pp.bz2             monit.pp.bz2             rtkit.pp.bz2           xdg.pp.bz2
dmidecode.pp.bz2        mono.pp.bz2              rwho.pp.bz2            xen.pp.bz2
dnsmasq.pp.bz2          monop.pp.bz2             samba.pp.bz2           xfs.pp.bz2
docker.pp.bz2           mon.pp.bz2               samhain.pp.bz2         xguest.pp.bz2
dovecot.pp.bz2          mozilla.pp.bz2           sanlock.pp.bz2         xscreensaver.pp.bz2
drbd.pp.bz2             mpd.pp.bz2               sasl.pp.bz2            xserver.pp.bz2
eg25manager.pp.bz2      mplayer.pp.bz2           sblim.pp.bz2           zabbix.pp.bz2
entropyd.pp.bz2         mrtg.pp.bz2              screen.pp.bz2          zarafa.pp.bz2
evolution.pp.bz2        mta.pp.bz2               secadm.pp.bz2          zebra.pp.bz2
exim.pp.bz2             munin.pp.bz2             sendmail.pp.bz2        zosremote.pp.bz2
fail2ban.pp.bz2         mysql.pp.bz2             sensord.pp.bz2
fcoe.pp.bz2             nagios.pp.bz2            setrans.pp.bz2

data/usr/share/selinux/default/.modules文件的内容为：

$ cat default/.modules 
accountsd
acct
acpi
afs
aide
aisexec
alsa
amanda
amavis
amtu
apache
apcupsd
apt
aptcacher
arpwatch
asterisk
auditadm
automount
avahi
awstats
backup
bacula
base
bind
bird
bitlbee
blueman
bluetooth
boinc
bootloader
brctl
bubblewrap
bugzilla
cachefilesd
calamaris
canna
cdrecord
certbot
certmonger
cfengine
cgroup
chromium
chronyd
clamav
clock
cobbler
cockpit
collectd
colord
comsat
condor
container
corosync
couchdb
courier
cpucontrol
cpufreqselector
cron
ctdb
cups
cvs
cyphesis
cyrus
daemontools
dante
dbadm
dbskk
ddclient
devicekit
dhcp
dictd
dirmngr
distcc
djbdns
dkim
dmidecode
dnsmasq
docker
dovecot
drbd
eg25manager
entropyd
evolution
exim
fail2ban
fcoe
feedbackd
fetchmail
finger
firewalld
fprintd
ftp
fwupd
games
gatekeeper
gdomap
geoclue
getty
git
gitosis
glance
glusterfs
gnome
gnomeclock
gpg
gpm
gpsd
guest
hddtemp
hostname
hypervkvp
i18n_input
icecast
ifplugd
iiosensorproxy
inetd
inn
iodine
ipsec
iptables
irc
ircd
irqbalance
iscsi
isns
jabber
java
kdump
kerberos
kerneloops
keystone
kismet
ksmtuned
l2tp
ldap
lightsquid
likewise
lircd
livecd
lldpad
loadkeys
logadm
logrotate
logwatch
lowmemorymonitor
lpd
lvm
mailman
man2html
mandb
matrixd
mediawiki
memcached
memlockd
milter
minidlna
minissdpd
modemmanager
mojomojo
mon
mongodb
monit
mono
monop
mozilla
mpd
mplayer
mrtg
mta
munin
mysql
nagios
ncftool
nessus
netlabel
netutils
networkmanager
nis
nscd
nsd
nslcd
ntop
ntp
numad
nut
nx
obex
oddjob
oident
openca
openct
openhpi
openvpn
openvswitch
pacemaker
pads
passenger
pcscd
pegasus
perdition
pingd
pkcs
plymouthd
policykit
portmap
portreserve
portslave
postfix
postfixpolicyd
postgresql
postgrey
powerprofiles
ppp
prelink
prelude
privoxy
procmail
psad
publicfile
pulseaudio
puppet
pwauth
pxe
pyzor
qemu
qmail
qpid
quantum
quota
rabbitmq
radius
radvd
raid
rasdaemon
razor
rdisc
realmd
redis
remotelogin
rlogin
rngd
rpc
rpcbind
rshd
rssh
rsync
rtkit
rwho
samba
samhain
sanlock
sasl
sblim
screen
secadm
sendmail
sensord
setrans
setroubleshoot
seunshare
shibboleth
shorewall
shutdown
slocate
slpd
slrnpull
smartmon
smokeping
smstools
snmp
snort
sosreport
soundserver
spamassassin
squid
ssh
sssd
staff
stunnel
su
sudo
svnserve
switcheroo
sxid
sympa
sysstat
systemtap
tcpd
tcsd
telepathy
telnet
tftp
tgtd
thunderbird
thunderbolt
timidity
tmpreaper
tor
transproxy
tripwire
tuned
tvtime
tzdata
ucspitcp
ulogd
uml
unconfined
unprivuser
updfstab
uptime
usbmodules
usbmuxd
userhelper
usernetctl
uucp
uuidd
uwimap
varnishd
vbetool
vdagent
virt
vlock
vmware
vnstatd
vpn
watchdog
wdmd
webadm
webalizer
wine
wireshark
wm
xdg
xen
xfs
xguest
xscreensaver
xserver
zabbix
zarafa
zebra
zosremote

按照以上脚本最终得到to_install的值为：

"-i/usr/share/selinux/default/accountsd.pp.bz2 -i/usr/share/selinux/default/acct.pp.bz2 -i/usr/share/selinux/default/acpi.pp.bz2

……

-i/usr/share/selinux/default/zebra.pp.bz2 -i/usr/share/selinux/default/zosremote.pp.bz2"

13）列出要移除的所有模块

代码片段如下：

    # Now build a list of the modules that we were shipping before but that we are not
	# anymore and that we need to remove
	to_remove=""
	for inst_module in $already_installed; do
	    remove_module=1
	    for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; do
		if [ $inst_module = $pkg_module ]; then
		    remove_module=0
		    break
		fi
	    done
	    if [ $remove_module -eq 1 ]; then
		to_remove="$to_remove -r${inst_module}"
	    fi
	done

already_installed在上边得到，详见10）：

# list all the modules that are already installed with our priority
already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`

postinst的其余代码请看下回。