接前一篇文章:selinux-policy-default(2:2.20231119-2)软件包内容详细介绍(2)
4. 重点文件内容解析
(1)control/postist文件
上一回讲解了postinst文件的前一部分内容,本回继续往下解析。为了便于理解,再次贴出postinst完整代码:
#!/bin/sh
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
# Will be replaced by the binary package flavour in debian/rules
flavour="default"
priority=100
# modules which are not enabled by default, because they are usually
# not needed on a debian system
notdefault="aisexec amtu bugzilla cobbler condor cyphesis git ksmtuned likewise livecd nessus numad oddjob openca rlogin rshd soundserver telnet publicfile thunderbird updfstab usernetctl"
platform=$(hostnamectl chassis) || true
case "$platform" in
handset)
# dont need staff role
notdefault="$notdefault staff"
# dont need hardware specific things for non phone hardware
notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need VM things
notdefault="$notdefault hypervkvp"
# dont need serious server daemons
notdefault="$notdefault afs aide amanda amavis apcupsd aptcacher asterisk awstats bacula bind bird bitlbee boinc cachefilesd calamaris certbot cfengine clamav cockpit corosync couchdb courier ctdb cvs cyrus dbadm dictd distcc djbdns dkim dmidecode docker dovecot drbd fetchmail gitosis glance glusterfs inn irc ircd jabber kerberos keystone ldap lightsquid mailman matrixd mediawiki memcached milter minidlna mojomojo mongodb monop mrtg munin nagios nis nsd nslcd ntop nut openhpi openvswitch pacemaker passenger pcscd pegasus perdition pingd portmap portslave postfixpolicyd postgresql postgrey prelude procmail puppet pxe pyzor qemu qmail qpid quantum rabbitmq radius radvd razor realmd redis rsync samba samhain sanlock sasl sblim secadm shibboleth snort spamassassin squid stunnel svnserve sympa tftp tripwire uml uucp uwimap varnishd virt vmware wdmd webadm webalizer xen zabbix zarafa zebra"
# dont need time sharing system daemons
notdefault="$notdefault comsat finger oident rwho slocate slrnpull uptime quota"
;;
vm)
# dont need hardware specific things for vms
notdefault="$notdefault acpi cdrecord fcoe iscsi isns openct raid rasdaemon tgtd tvtime vbetool"
# dont need handset stuff
notdefault="$notdefault eg25manager feedbackd geoclue iiosensorproxy"
;;
desktop)
# dont need VM things
notdefault="$notdefault hypervkvp"
# dont need portable stuff
notdefault="$notdefault geoclue"
# dont need handset stuff
notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
;;
laptop)
# dont need VM things
notdefault="$notdefault hypervkvp"
# dont need handset stuff
notdefault="$notdefault eg25manager feedbackd iiosensorproxy"
;;
*)
echo "Unknown output from hostnamectl or not running systemd"
;;
esac
. /etc/selinux/config
case "$1" in
configure)
echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."
# list all the modules that are already installed with our priority
already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`
# record which non-default modules do not yet exist for disabling them later
to_disable=""
for module in ${notdefault}; do
installed=0
for inst_module in ${already_installed}; do
if [ $module = $inst_module ]; then
installed=1
break
fi
done
if [ $installed -ne 1 ]; then
to_disable="$to_disable -d${module}"
fi
done
# List all the modules that we are going to install
to_install=""
for module in `cat /usr/share/selinux/${flavour}/.modules`; do
to_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"
done
# Now build a list of the modules that we were shipping before but that we are not
# anymore and that we need to remove
to_remove=""
for inst_module in $already_installed; do
remove_module=1
for pkg_module in `cat /usr/share/selinux/${flavour}/.modules`; do
if [ $inst_module = $pkg_module ]; then
remove_module=0
break
fi
done
if [ $remove_module -eq 1 ]; then
to_remove="$to_remove -r${inst_module}"
fi
done
# Now load policy into the kernel if it is the configured policy
# and we are running selinux
if [ "${SELINUXTYPE}" != "${flavour}" ] || ! selinuxenabled; then
noreload='-n'
fi
ret=0
semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$?
if [ $ret -eq 0 ]; then
echo " done."
else
echo " failed."
exit $ret
fi
FC=/etc/selinux/$flavour/contexts/files/file_contexts
OLDFC=$FC.old
if [ -f $OLDFC ]; then
OLDSORT=$(mktemp)
NEWSORT=$(mktemp)
sort < $OLDFC > $OLDSORT
sort < $FC > $NEWSORT
ORIGDIFF=$(mktemp)
diff $OLDSORT $NEWSORT | grep -v ^[0-9] > $ORIGDIFF || true
rm $OLDSORT $NEWSORT
if [ -s $ORIGDIFF ]; then
DIFF=$(mktemp)
cut -f2 -d\ < $ORIGDIFF > $DIFF
GOOD=$(mktemp)
grep -v ^/run $DIFF |grep -v ^/dev | grep "/.*/" > $GOOD || true
if [ -s $GOOD ]; then
echo ""
echo "Relabeling matches for the following file context changes:"
cat $GOOD
echo ""
DIRS=$(cat $GOOD | sed -e 's/(\.\*\/).*$//' -e 's/(.*$//' -e 's/\/[^/]*$//' -e 's/\/[0-9a-z]*\[.*$//' | sort -u | /usr/libexec/selinux/remove-leaf-dirs)
echo The following directories: $DIRS
restorecon -R -v $DIRS || echo "restorecon gave an error but package is still ok"
fi
rm $GOOD
PROB=$(mktemp)
grep ^../run $ORIGDIFF > $PROB || true
grep ^../dev $ORIGDIFF >> $PROB || true
grep -v "/.*/" $ORIGDIFF >> $PROB || true
if [ -s $PROB ]; then
echo "The following lines have changes that can't be automatically applied, consider"
echo "manually relabelling them if appropriate:"
cat $PROB
fi
rm $DIFF $PROB
else
echo "No changes to file contexts"
fi
rm $ORIGDIFF $OLDFC
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
# Automatically added by dh_installdeb/13.11.6
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/local.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/users/system.users 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.read.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/semanage.trans.LOCK 2:2.20140421-10\~ -- "$@"
dpkg-maintscript-helper rm_conffile /etc/selinux/default/modules/active/file_contexts.local 2:2.20140421-10\~ -- "$@"
# End automatically added section
exit 0
7)执行/etc/selinux/config
接下来的一行代码是执行/etc/selinux/config:
. /etc/selinux/config
/etc/selinux/config文件的代码如下:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
/etc/selinux/config文件控制系统上SELinux的状态。
SELINUX项
SELINUX可以取以下三个值之一:
- enforcing —— SELinux安全策略已强制执行。
- permissive —— SELinux打印警告但并不强制执行。
- disabled —— 未加载SELinux策略。
SELINUXTYPE项
SELINUTYPE可以取以下两个值之一:
- default —— 相当于旧(版本)的strict和target策略。
- mls —— 多级安全(用于军事和教育用途)。
- src —— 从源代码生成的自定义策略。
SETLOCALDEFS项
检查本地定义更改。
8)进入configure分支
postinst脚本代码接下来走进了case分支。由于这部分代码较长,因此分段来看。
case "$1" in
configure)
$1是调用postinst脚本时传入的第1个参数(从0开始)。参考上一回3)中的注释:
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
最主要的就是configure。这里也是将参数1分成了两类:configure和其它。先来看configure分支中的代码。
9)提示信息
通过以下一行代码在终端给出提示信息:
echo -n "Updating selinux ${flavour} policy (this step might take a moment)..."
flavour之前赋值为default:
flavour="default"
那么此处在终端显示的提示信息为“Updating selinux default policy (this step might take a moment)...”。
10)列出当前策略下已安装模块并赋值给already_installed
# list all the modules that are already installed with our priority
already_installed=`semodule -s ${flavour} --list-modules=full | grep -e "^${priority} " | cut -d' ' -f2`
semodule详细介绍参加笔者这篇博客:
-s选项代表要操作的存储的名称;flavor是default;--list-modules选项的作用是显示已安装模块的列表(基本模块除外)。
单独执行这一部分命令的结果如下:
$ sudo semodule -s default --list-modules=full
libsemanage.semanage_create_store: Could not create module store at /var/lib/selinux/default. (No such file or directory).
libsemanage.semanage_direct_connect: could not establish direct connection (No such file or directory).
semodule: Could not connect to policy handler
手工创建/var/lib/selinux/default文件:
$ sudo mkdir /var/lib/selinux
$ sudo touch /var/lib/selinux/defaut
再次执行以上命令,结果如下:
$ sudo semodule -s default --list-modules=full
No modules.
笔者的电脑不是debian系统,因此结果并非预期。但并不耽误对于postinst脚本的分析。
11)记录哪些非默认模块还不在notdefault列表中,以便以后禁用
代码片段如下:
# record which non-default modules do not yet exist for disabling them later
to_disable=""
for module in ${notdefault}; do
installed=0
for inst_module in ${already_installed}; do
if [ $module = $inst_module ]; then
installed=1
break
fi
done
if [ $installed -ne 1 ]; then
to_disable="$to_disable -d${module}"
fi
done
将目前系统已安装、但应该不安装的模块记录到to_disable变量中。
12)列出要安装的所有模块
代码片段如下:
# List all the modules that we are going to install
to_install=""
for module in `cat /usr/share/selinux/${flavour}/.modules`; do
to_install="$to_install -i/usr/share/selinux/${flavour}/${module}.pp.bz2"
done
由于是postinst脚本,因此/usr/share/selinux/这个目录对应的实际上是此deb包中的data/usr/share/selinux目录。该目录下的内容为:
$ ls
default
$ ls default/
accountsd.pp.bz2 feedbackd.pp.bz2 ncftool.pp.bz2 setroubleshoot.pp.bz2
acct.pp.bz2 fetchmail.pp.bz2 nessus.pp.bz2 seunshare.pp.bz2
acpi.pp.bz2 finger.pp.bz2 netlabel.pp.bz2 shibboleth.pp.bz2
afs.pp.bz2 firewalld.pp.bz2 netutils.pp.bz2 shorewall.pp.bz2
aide.pp.bz2 fprintd.pp.bz2 networkmanager.pp.bz2 shutdown.pp.bz2
aisexec.pp.bz2 ftp.pp.bz2 nis.pp.bz2 slocate.pp.bz2
alsa.pp.bz2 fwupd.pp.bz2 nscd.pp.bz2 slpd.pp.bz2
amanda.pp.bz2 games.pp.bz2 nsd.pp.bz2 slrnpull.pp.bz2
amavis.pp.bz2 gatekeeper.pp.bz2 nslcd.pp.bz2 smartmon.pp.bz2
amtu.pp.bz2 gdomap.pp.bz2 ntop.pp.bz2 smokeping.pp.bz2
apache.pp.bz2 geoclue.pp.bz2 ntp.pp.bz2 smstools.pp.bz2
apcupsd.pp.bz2 getty.pp.bz2 numad.pp.bz2 snmp.pp.bz2
aptcacher.pp.bz2 gitosis.pp.bz2 nut.pp.bz2 snort.pp.bz2
apt.pp.bz2 git.pp.bz2 nx.pp.bz2 sosreport.pp.bz2
arpwatch.pp.bz2 glance.pp.bz2 obex.pp.bz2 soundserver.pp.bz2
asterisk.pp.bz2 glusterfs.pp.bz2 oddjob.pp.bz2 spamassassin.pp.bz2
auditadm.pp.bz2 gnomeclock.pp.bz2 oident.pp.bz2 squid.pp.bz2
automount.pp.bz2 gnome.pp.bz2 openca.pp.bz2 ssh.pp.bz2
avahi.pp.bz2 gpg.pp.bz2 openct.pp.bz2 sssd.pp.bz2
awstats.pp.bz2 gpm.pp.bz2 openhpi.pp.bz2 staff.pp.bz2
backup.pp.bz2 gpsd.pp.bz2 openvpn.pp.bz2 stunnel.pp.bz2
bacula.pp.bz2 guest.pp.bz2 openvswitch.pp.bz2 sudo.pp.bz2
base.pp.bz2 hddtemp.pp.bz2 pacemaker.pp.bz2 su.pp.bz2
bind.pp.bz2 hostname.pp.bz2 pads.pp.bz2 svnserve.pp.bz2
bird.pp.bz2 hypervkvp.pp.bz2 passenger.pp.bz2 switcheroo.pp.bz2
bitlbee.pp.bz2 i18n_input.pp.bz2 pcscd.pp.bz2 sxid.pp.bz2
blueman.pp.bz2 icecast.pp.bz2 pegasus.pp.bz2 sympa.pp.bz2
bluetooth.pp.bz2 ifplugd.pp.bz2 perdition.pp.bz2 sysstat.pp.bz2
boinc.pp.bz2 iiosensorproxy.pp.bz2 pingd.pp.bz2 systemtap.pp.bz2
bootloader.pp.bz2 inetd.pp.bz2 pkcs.pp.bz2 tcpd.pp.bz2
brctl.pp.bz2 inn.pp.bz2 plymouthd.pp.bz2 tcsd.pp.bz2
bubblewrap.pp.bz2 iodine.pp.bz2 policykit.pp.bz2 telepathy.pp.bz2
bugzilla.pp.bz2 ipsec.pp.bz2 portmap.pp.bz2 telnet.pp.bz2
cachefilesd.pp.bz2 iptables.pp.bz2 portreserve.pp.bz2 tftp.pp.bz2
calamaris.pp.bz2 ircd.pp.bz2 portslave.pp.bz2 tgtd.pp.bz2
canna.pp.bz2 irc.pp.bz2 postfixpolicyd.pp.bz2 thunderbird.pp.bz2
cdrecord.pp.bz2 irqbalance.pp.bz2 postfix.pp.bz2 thunderbolt.pp.bz2
certbot.pp.bz2 iscsi.pp.bz2 postgresql.pp.bz2 timidity.pp.bz2
certmonger.pp.bz2 isns.pp.bz2 postgrey.pp.bz2 tmpreaper.pp.bz2
cfengine.pp.bz2 jabber.pp.bz2 powerprofiles.pp.bz2 tor.pp.bz2
cgroup.pp.bz2 java.pp.bz2 ppp.pp.bz2 transproxy.pp.bz2
chromium.pp.bz2 kdump.pp.bz2 prelink.pp.bz2 tripwire.pp.bz2
chronyd.pp.bz2 kerberos.pp.bz2 prelude.pp.bz2 tuned.pp.bz2
clamav.pp.bz2 kerneloops.pp.bz2 privoxy.pp.bz2 tvtime.pp.bz2
clock.pp.bz2 keystone.pp.bz2 procmail.pp.bz2 tzdata.pp.bz2
cobbler.pp.bz2 kismet.pp.bz2 psad.pp.bz2 ucspitcp.pp.bz2
cockpit.pp.bz2 ksmtuned.pp.bz2 publicfile.pp.bz2 ulogd.pp.bz2
collectd.pp.bz2 l2tp.pp.bz2 pulseaudio.pp.bz2 uml.pp.bz2
colord.pp.bz2 ldap.pp.bz2 puppet.pp.bz2 unconfined.pp.bz2
comsat.pp.bz2 lightsquid.pp.bz2 pwauth.pp.bz2 unprivuser.pp.bz2
condor.pp.bz2 likewise.pp.bz2 pxe.pp.bz2 updfstab.pp.bz2
container.pp.bz2 lircd.pp.bz2 pyzor.pp.bz2 uptime.pp.bz2
corosync.pp.bz2 livecd.pp.bz2 qemu.pp.bz2 usbmodules.pp.bz2
couchdb.pp.bz2 lldpad.pp.bz2 qmail.pp.bz2 usbmuxd.pp.bz2
courier.pp.bz2 loadkeys.pp.bz2 qpid.pp.bz2 userhelper.pp.bz2
cpucontrol.pp.bz2 logadm.pp.bz2 quantum.pp.bz2 usernetctl.pp.bz2
cpufreqselector.pp.bz2 logrotate.pp.bz2 quota.pp.bz2 uucp.pp.bz2
cron.pp.bz2 logwatch.pp.bz2 rabbitmq.pp.bz2 uuidd.pp.bz2
ctdb.pp.bz2 lowmemorymonitor.pp.bz2 radius.pp.bz2 uwimap.pp.bz2
cups.pp.bz2 lpd.pp.bz2 radvd.pp.bz2 varnishd.pp.bz2
cvs.pp.bz2 lvm.pp.bz2 raid.pp.bz2 vbetool.pp.bz2
cyphesis.pp.bz2 mailman.pp.bz2 rasdaemon.pp.bz2 vdagent.pp.bz2
cyrus.pp.bz2 man2html.pp.bz2 razor.pp.bz2 virt.pp.bz2
daemontools.pp.bz2 mandb.pp.bz2 rdisc.pp.bz2 vlock.pp.bz2
dante.pp.bz2 matrixd.pp.bz2 realmd.pp.bz2 vmware.pp.bz2
dbadm.pp.bz2 mediawiki.pp.bz2 redis.pp.bz2 vnstatd.pp.bz2
dbskk.pp.bz2 memcached.pp.bz2 remotelogin.pp.bz2 vpn.pp.bz2
ddclient.pp.bz2 memlockd.pp.bz2 rlogin.pp.bz2 watchdog.pp.bz2
devicekit.pp.bz2 milter.pp.bz2 rngd.pp.bz2 wdmd.pp.bz2
dhcp.pp.bz2 minidlna.pp.bz2 rpcbind.pp.bz2 webadm.pp.bz2
dictd.pp.bz2 minissdpd.pp.bz2 rpc.pp.bz2 webalizer.pp.bz2
dirmngr.pp.bz2 modemmanager.pp.bz2 rshd.pp.bz2 wine.pp.bz2
distcc.pp.bz2 mojomojo.pp.bz2 rssh.pp.bz2 wireshark.pp.bz2
djbdns.pp.bz2 mongodb.pp.bz2 rsync.pp.bz2 wm.pp.bz2
dkim.pp.bz2 monit.pp.bz2 rtkit.pp.bz2 xdg.pp.bz2
dmidecode.pp.bz2 mono.pp.bz2 rwho.pp.bz2 xen.pp.bz2
dnsmasq.pp.bz2 monop.pp.bz2 samba.pp.bz2 xfs.pp.bz2
docker.pp.bz2 mon.pp.bz2 samhain.pp.bz2 xguest.pp.bz2
dovecot.pp.bz2 mozilla.pp.bz2 sanlock.pp.bz2 xscreensaver.pp.bz2
drbd.pp.bz2 mpd.pp.bz2 sasl.pp.bz2 xserver.pp.bz2
eg25manager.pp.bz2 mplayer.pp.bz2 sblim.pp.bz2 zabbix.pp.bz2
entropyd.pp.bz2 mrtg.pp.bz2 screen.pp.bz2 zarafa.pp.bz2
evolution.pp.bz2 mta.pp.bz2 secadm.pp.bz2 zebra.pp.bz2
exim.pp.bz2 munin.pp.bz2 sendmail.pp.bz2 zosremote.pp.bz2
fail2ban.pp.bz2 mysql.pp.bz2 sensord.pp.bz2
fcoe.pp.bz2 nagios.pp.bz2 setrans.pp.bz2
data/usr/share/selinux/default/.modules文件的内容为:
$ cat default/.modules
accountsd
acct
acpi
afs
aide
aisexec
alsa
amanda
amavis
amtu
apache
apcupsd
apt
aptcacher
arpwatch
asterisk
auditadm
automount
avahi
awstats
backup
bacula
base
bind
bird
bitlbee
blueman
bluetooth
boinc
bootloader
brctl
bubblewrap
bugzilla
cachefilesd
calamaris
canna
cdrecord
certbot
certmonger
cfengine
cgroup
chromium
chronyd
clamav
clock
cobbler
cockpit
collectd
colord
comsat
condor
container
corosync
couchdb
courier
cpucontrol
cpufreqselector
cron
ctdb
cups
cvs
cyphesis
cyrus
daemontools
dante
dbadm
dbskk
ddclient
devicekit
dhcp
dictd
dirmngr
distcc
djbdns
dkim
dmidecode
dnsmasq
docker
dovecot
drbd
eg25manager
entropyd
evolution
exim
fail2ban
fcoe
feedbackd
fetchmail
finger
firewalld
fprintd
ftp
fwupd
games
gatekeeper
gdomap
geoclue
getty
git
gitosis
glance
glusterfs
gnome
gnomeclock
gpg
gpm
gpsd
guest
hddtemp
hostname
hypervkvp
i18n_input
icecast
ifplugd
iiosensorproxy
inetd
inn
iodine
ipsec
iptables
irc
ircd
irqbalance
iscsi
isns
jabber
java
kdump
kerberos
kerneloops
keystone
kismet
ksmtuned
l2tp
ldap
lightsquid
likewise
lircd
livecd
lldpad
loadkeys
logadm
logrotate
logwatch
lowmemorymonitor
lpd
lvm
mailman
man2html
mandb
matrixd
mediawiki
memcached
memlockd
milter
minidlna
minissdpd
modemmanager
mojomojo
mon
mongodb
monit
mono
monop
mozilla
mpd
mplayer
mrtg
mta
munin
mysql
nagios
ncftool
nessus
netlabel
netutils
networkmanager
nis
nscd
nsd
nslcd
ntop
ntp
numad
nut
nx
obex
oddjob
oident
openca
openct
openhpi
openvpn
openvswitch
pacemaker
pads
passenger
pcscd
pegasus
perdition
pingd
pkcs
plymouthd
policykit
portmap
portreserve
portslave
postfix
postfixpolicyd
postgresql
postgrey
powerprofiles
ppp
prelink
prelude
privoxy
procmail
psad
publicfile
pulseaudio
puppet
pwauth
pxe
pyzor
qemu
qmail
qpid
quantum
quota
rabbitmq
radius
radvd
raid
rasdaemon
razor
rdisc
realmd
redis
remotelogin
rlogin
rngd
rpc
rpcbind
rshd
rssh
rsync
rtkit
rwho
samba
samhain
sanlock
sasl
sblim
screen
secadm
sendmail
sensord
setrans
setroubleshoot
seunshare
shibboleth
shorewall
shutdown
slocate
slpd
slrnpull
smartmon
smokeping
smstools
snmp
snort
sosreport
soundserver
spamassassin
squid
ssh
sssd
staff
stunnel
su
sudo
svnserve
switcheroo
sxid
sympa
sysstat
systemtap
tcpd
tcsd
telepathy
telnet
tftp
tgtd
thunderbird
thunderbolt
timidity
tmpreaper
tor
transproxy
tripwire
tuned
tvtime
tzdata
ucspitcp
ulogd
uml
unconfined
unprivuser
updfstab
uptime
usbmodules
usbmuxd
userhelper
usernetctl
uucp
uuidd
uwimap
varnishd
vbetool
vdagent
virt
vlock
vmware
vnstatd
vpn
watchdog
wdmd
webadm
webalizer
wine
wireshark
wm
xdg
xen
xfs
xguest
xscreensaver
xserver
zabbix
zarafa
zebra
zosremote
按照以上脚本最终得到to_install的值为:
postinst的其余代码请看下回。