[Pkg-sysvinit-devel] Bug#452645: Bug#452645: README.policy-rc.d is unclear and should provide example

Henrique de Moraes Holschuh hmh at debian.org
Mon Nov 26 11:53:08 UTC 2007 

On Sat, 24 Nov 2007, Stefan Fritsch wrote:
> README.policy-rc.d says that a policy-rc.d script should exit with 0 if the
> action is allowed. However it does not explicitly state that this will override
> the runlevel checks done by invoke-rc.d. This is quite surprising and should be
> made more clear.

The last paragraph in the readme should also make the point clear (note that
this is for *sysv-rc*:

--8<--
invoke-rc.d built-in policy rules:

To shield policy-rc.d of the underlying initscript system (file-rc, links in
/etc/rc?.d or something else), invoke-rc.d implements the following built-in
rules:

  1. action "start" out of runlevel is denied,
     (policy-rc.d receives action "(start)" instead of "start");
  2. action "restart" out of runlevel is denied,
     (policy-rc.d receives action "(restart)" instead of "restart");
  3. any action for a non-executable initscript is denied.

Rule 3 is absolute, policy-rc.d cannot override it.
--8<--

Of course you are entitled to override non-insane requests, that's exactly
what policy-rc.d is *for*.  The only insane requests are those for
unregistered initscripts, and trying to run something that is not executable
in the first place (for sysv-rc and file-rc.  An initscript subsystem that
had the actions inside XML config files, for example, would have different
rules for what is insane).

> Actually, README.policy-rc.d should provide an example for a policy-rc.d script
> that does nothing, i.e. that gives _exactly_ the same behaviour as if the
> policy-rc.d script was not present.

That would be "no script in there".  Different initscript subsystems are
allowed to ship an invoke-rc.d that reacts differently when it detects the
presence of a policy-rc.d script.

For sysv-rc and file-rc, the "do nothing" script should:
return 101 if it gets anything between () as the action (or return 0, if you
don't mind running crap out-of-runlevel).
return 0 otherwise.

If someone would like to provide patches to make that documentation more
clear, feel free to do so.  Just remember that invoke-rc.d is initscript
subsystem *specific*, and that policy-rc.d is initscript subsystem
*agnostic*, so you may have to look at the invoke-rc.d scripts for every
initscript subsystem in Debian, first.

I really think the policy-rc.d docs should be in a different package than
sysv-rc, but I don't know which.  Maybe it should go into debian-policy
itself, or in the "initscripts" package.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

More information about the Pkg-sysvinit-devel mailing list