Devuan bug report logs - #881
invoke-rc.d: Policy layer may override runlevel constraint

version graph

Package: init-system-helpers; Maintainer for init-system-helpers is Devuan Dev Team <devuan-dev@lists.dyne.org>; Source for init-system-helpers is src:init-system-helpers.

Reported by: Opty <opty77@gmail.com>

Date: Tue, 1 Apr 2025 12:16:02 UTC

Severity: normal

Tags: debian, moreinfo

Merged with 882, 883, 884

Found in version init-system-helpers/1.65.2devuan1

Full log


Message #20 received at 881@bugs.devuan.org (full text, mbox, reply):

Received: (at 881) by bugs.devuan.org; 2 Apr 2025 12:34:39 +0000
Return-Path: <plorenzo@disroot.org>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 02 Apr 2025 12:34:39 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id 8MicCbQu7WeQGQAAmSBk0A
	(envelope-from <plorenzo@disroot.org>)
	for <bugs@devuan.org>; Wed, 02 Apr 2025 12:33:56 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 0F8054A8; Wed,  2 Apr 2025 12:33:55 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (2048-bit key; secure) header.d=disroot.org header.i=@disroot.org header.a=rsa-sha256 header.s=mail header.b=SfcsRpT7;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
	autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.21.23.139; helo=layka.disroot.org; envelope-from=plorenzo@disroot.org; receiver=<UNKNOWN> 
Received: from layka.disroot.org (layka.disroot.org [178.21.23.139])
	by email.devuan.org (Postfix) with ESMTPS id 78ACC173
	for <881@bugs.devuan.org>; Wed,  2 Apr 2025 12:33:53 +0000 (UTC)
Received: from mail01.disroot.lan (localhost [127.0.0.1])
	by disroot.org (Postfix) with ESMTP id A8E202599D;
	Wed,  2 Apr 2025 14:33:52 +0200 (CEST)
X-Virus-Scanned: SPAM Filter at disroot.org
Received: from layka.disroot.org ([127.0.0.1])
 by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id qwiOWORH8-Cd; Wed,  2 Apr 2025 14:33:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
	t=1743597228; bh=quPSlgX1D4BEy0ND+PiuhKgMtaCzgOdLjnk1/uvHGs4=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References;
	b=SfcsRpT7wMhJIQQbuSZq5VWyFfTlFHmEdkgbKjHxbFyulgNp+cvry0xCBrFgyjnN3
	 fkjALHRVdCLD7iRfWIdII79eQK2KDybi3Disd5zIIEaAzvOi5V8CjBkpr5s3qeTGJh
	 MgnPQ8GQKrFgzqi70kGk+hSDzj8+WflCrYPuMHOsl36/xNzuRq+H2xuxhhkDZJFjQZ
	 vFiK9AyoOneL6jRDZro9zwNWJoJ7QdFBOhcbVfCi4DQT1WwhfLFwYplG/ByVRvPXtW
	 TLU+r7mIjn/0Dl6fNK6CUtJD8a3q8t+jiuTPGeZffc5+g2/V9MyvqxSMT0tBMBvYGp
	 GnEDvvICZf7VQ==
Date: Wed, 2 Apr 2025 14:33:40 +0200
From: Lorenzo <plorenzo@disroot.org>
To: Opty <opty77@gmail.com>
Cc: 881@bugs.devuan.org, devuan developers internal list
 <devuan-dev@lists.dyne.org>, Mark Hindley <mark@hindley.org.uk>
Subject: Re: [devuan-dev] bug#881: invoke-rc.d: Policy layer may override
 runlevel constraint
Message-ID: <20250402143026.50db21f7@lorenz.fritz.box>
In-Reply-To: <CAERDJOG_4mnRRA7oFvcbMFoiZitExizd=jR=HqyL9dT15ORFyQ@mail.gmail.com>
References: <CAERDJOGBvwgsTJ7rL-MaUqLmBk7kBd12rtuAj1hDQt0-U9Ktug@mail.gmail.com>
	<Z-wTFqfiCrvD9Exb@hindley.org.uk>
	<CAERDJOGBvwgsTJ7rL-MaUqLmBk7kBd12rtuAj1hDQt0-U9Ktug@mail.gmail.com>
	<CAERDJOG_4mnRRA7oFvcbMFoiZitExizd=jR=HqyL9dT15ORFyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hello Opty,

On Wed, 2 Apr 2025 13:54:05 +0200
Opty <opty77@gmail.com> wrote:

> On Tue, Apr 1, 2025 at 6:23 PM Mark Hindley <mark@hindley.org.uk>
> wrote:
> > Thanks for this. However, I find your report a bit terse.
> >
> > Do you have policy-rcd-declarative installed? If so what is usage
> > for it? How do you have a permissive policy defined?
> 
> Hopefully the whole story so far:
> 
> I wanted to disable services auto(re)start on package install/upgrade
> so indeed I installed policy-rcd-declarative and
> policy-rcd-declarative-deny-all which worked well for subsequent
> vnstat install but then log rotation stopped working due to
> invoke-rc.d so I modified 'deny' in /etc/service-policy.d/99-deny.pol
> to 'allow' (*) but then K-link-disabled rsyslogd unexpectedly started
> after an upgrade (**) so I had to surrender for now and 'chmod -x
> /usr/sbin/policy-rc.d-declarative'.

I'm not sure what you want to do is supported by the
policy-rc.d-declarative, but maybe you can do that with the old
interface.

The policy-rc.d thing is meant to prevent signal (start stop
restart) to services in chroots where it does not make sense to
have a service running; for example, is used by the installer (but also
by sbuild and there are other use cases);
it could be also used by the local admin but the typical use is decide
to completely block the entire package machinery on a service.

I'm not sure how the declarative interface works, but the
service name and the action (start/restart/stop/reload/whatever)
are passed as argument to the old policy-rc.d script, so maybe with
some scripting you can block start/restart actions but allow reload
(or whatever is used by logrotate) ?

I suggest you try to play with it, an example
(it won't stop anything, just to understand how it works)

# cat /usr/sbin/policy-rc.d 
#!/bin/sh

echo "first param is $1" >> /run/policytest.txt
echo "second param is $2" >> /run/policytest.txt

# 0 or 104 = run
# 101 = do not run (denied by policy)

exit 0

then call invoke-rc.d servicename restart and inspect
/run/policytest.txt

Hope it helps,
Lorenzo


> 
> (*) Yes, I should have installed policy-rcd-declarative-allow-all
> instead but what if I needed to go back again so for now I chose this
> maybe a bit confusing solution.
> 
> (**) I use own sysklogd package without dependencies so I can keep
> rsyslog along and experiment.
> 
> > It is worth reading https://bugs.debian.org/911290 which gives some
> > useful background as to why this area is a pretty unfrequented
> > backwater.
> 
> I went through 911290 a week ago when I was doing my research.
> 
> Regards,
> Opty
> _______________________________________________
> devuan-dev internal mailing list
> devuan-dev@lists.dyne.org
> Manage your subscription:
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev
> Archive: https://lists.dyne.org/lurker/list/devuan-dev.en.html


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Apr 4 15:33:52 2025;