Re: Draft spec for new dpkg "triggers" feature

To: debian-devel@lists.debian.org, debian-dpkg@lists.debian.org
Cc: debian-policy@lists.debian.org, ubuntu-devel-announce@lists.ubuntu.com
Subject: Re: Draft spec for new dpkg "triggers" feature
From: Russell Coker <russell@coker.com.au>
Date: Thu, 1 Feb 2007 09:28:31 +1100
Message-id: <[🔎] 200702010928.33408.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <17855.31624.123993.146237@davenant.relativity.greenend.org.uk>
References: <17855.31624.123993.146237@davenant.relativity.greenend.org.uk>

On Wednesday 31 January 2007 04:08, Ian Jackson <iwj@ubuntu.com> wrote:
> We currently envisage three kinds of triggers:
>  * Explicit triggers.  These can be activated by any program
>    by running dpkg-trigger (at any time, but ideally from a maintainer
>    script).
>  * File triggers.  These are activated automatically by dpkg
>    when a matching file is installed, upgraded or removed as part
>    of a package.  They may also be explicitly activated by running
>    dpkg-trigger.
>  * Special triggers, which activate magic code in dpkg itself.
>    Currently none of these are defined.

Manoj's recent work on SE Linux policy has the package examine the system to 
determine which packages are installed and to then load the matching SE Linux 
policy modules.  This works OK on an initial install as a complete relabel is 
performed after installing the policy.

But for a running SE Linux system when a new package is installed we need the 
policy loaded first.

For example if a SE Linux system does not have Apache installed then the 
Apache policy will not be loaded (saves some kernel memory).  If you install 
one of the Apache packages then ideally the SE Linux policy module will be 
loaded first (before the package is unpackaged).

This means that we need a trigger for new package selection and the trigger 
has to be completed before any of the packages are installed.

In the case of SE Linux it's not really a problem if the installation of the 
package in question is never performed.  For example if I ask Apt to install 
Apache and then press ^C after the SE Linux trigger has been called to load 
the policy but before the Apache package is unpacked then it's OK.  There 
will be slightly more kernel memory in use but the system operates as before.  
If I never decide to install Apache then the policy just keeps running, I 
easily can remove it if necessary.

Inserting and removing SE Linux policy modules if similar to running modprobe 
and rmmod except that the state is changed on disk and applies after the next 
reboot.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to:

Follow-Ups:
- Re: Draft spec for new dpkg "triggers" feature
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

Prev by Date: ID: 25807
Next by Date: Re: Draft spec for new dpkg "triggers" feature
Previous by thread: ID: 25807
Next by thread: Re: Draft spec for new dpkg "triggers" feature
Index(es):
- Date
- Thread