Hello Opty,

On Wed, 2 Apr 2025 13:54:05 +0200
Opty <opty77@???> wrote:

> On Tue, Apr 1, 2025 at 6:23 PM Mark Hindley <mark@???>
> wrote:
> > Thanks for this. However, I find your report a bit terse.
> >
> > Do you have policy-rcd-declarative installed? If so what is usage
> > for it? How do you have a permissive policy defined?
>
> Hopefully the whole story so far:
>
> I wanted to disable services auto(re)start on package install/upgrade
> so indeed I installed policy-rcd-declarative and
> policy-rcd-declarative-deny-all which worked well for subsequent
> vnstat install but then log rotation stopped working due to
> invoke-rc.d so I modified 'deny' in /etc/service-policy.d/99-deny.pol
> to 'allow' (*) but then K-link-disabled rsyslogd unexpectedly started
> after an upgrade (**) so I had to surrender for now and 'chmod -x
> /usr/sbin/policy-rc.d-declarative'.

I'm not sure what you want to do is supported by the
policy-rc.d-declarative, but maybe you can do that with the old
interface.

The policy-rc.d thing is meant to prevent signal (start stop
restart) to services in chroots where it does not make sense to
have a service running; for example, is used by the installer (but also
by sbuild and there are other use cases);
it could be also used by the local admin but the typical use is decide
to completely block the entire package machinery on a service.

I'm not sure how the declarative interface works, but the
service name and the action (start/restart/stop/reload/whatever)
are passed as argument to the old policy-rc.d script, so maybe with
some scripting you can block start/restart actions but allow reload
(or whatever is used by logrotate) ?

I suggest you try to play with it, an example
(it won't stop anything, just to understand how it works)

# cat /usr/sbin/policy-rc.d
#!/bin/sh

echo "first param is $1" >> /run/policytest.txt
echo "second param is $2" >> /run/policytest.txt

# 0 or 104 = run
# 101 = do not run (denied by policy)

exit 0

then call invoke-rc.d servicename restart and inspect
/run/policytest.txt

Hope it helps,
Lorenzo


>
> (*) Yes, I should have installed policy-rcd-declarative-allow-all
> instead but what if I needed to go back again so for now I chose this
> maybe a bit confusing solution.
>
> (**) I use own sysklogd package without dependencies so I can keep
> rsyslog along and experiment.
>
> > It is worth reading https://bugs.debian.org/911290 which gives some
> > useful background as to why this area is a pretty unfrequented
> > backwater.
>
> I went through 911290 a week ago when I was doing my research.
>
> Regards,
> Opty
> _______________________________________________
> devuan-dev internal mailing list
> devuan-dev@???
> Manage your subscription:
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev
> Archive: https://lists.dyne.org/lurker/list/devuan-dev.en.html