f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER START
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# The contents of this file are subject to the terms of the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Common Development and Distribution License (the "License").
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You may not use this file except in compliance with the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# See the License for the specific language governing permissions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# and limitations under the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# When distributing Covered Code, include this CDDL HEADER in each
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# If applicable, add the following below this CDDL HEADER, with the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# fields enclosed by brackets "[]" replaced with your own identifying
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# information: Portions Copyright [yyyy] [name of copyright owner]
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER END
269f47de02761bab3b7b28e2007a2bac34f629ccThuy Fettig# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax: -R allowed for start method only"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid -R rootpath dir specified"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: not supported in a local zone"
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # Comment out audio, usb, removable-media, and hotpluggable device
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj if [ ! -f $LOGINDEVPERM ]; then
36d41b68ce4ecc38f01ced5fe21dddf05a5f9289Nathan Bush sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
269f47de02761bab3b7b28e2007a2bac34f629ccThuy Fettig # Ensure auditing and device allocation are enabled by
269f47de02761bab3b7b28e2007a2bac34f629ccThuy Fettig /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
269f47de02761bab3b7b28e2007a2bac34f629ccThuy Fettig /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# For Trusted Extensions, make nscd service transient in local zones.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica# No comments or blanks lines allowed in entries below
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtlogin account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtlogin account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtsession account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtsession account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricagdm account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricagdm account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaxscreensaver account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaxscreensaver account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricapasswd account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricapasswd account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtpasswd account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtpasswd account required pam_unix_account.so.1
c64380fd28a9c6885abd420225a75a57e46f6b75ricatsoljds-tstripe account requisite pam_roles.so.1
c64380fd28a9c6885abd420225a75a57e46f6b75ricatsoljds-tstripe account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaother account required pam_tsol_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ ! -f ${PAM_DEST} ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica # Update pam.conf to append Trusted Extensions entries if not
8700009e2cc8cb186241e1fdd74973da1121ee4crica # If this is the 'other' entry, add it unless it already
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? = 1 ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? = 1 ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ -f /tmp/pamconf.$$ ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ ! -f ${PAM_DEST} ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? -ne 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ ! -f ${ROOT_PATH}/etc/system ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -ne 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk if [ ! -x /usr/bin/stclient ]; then
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk if [ $? = 0 ]; then
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk # fall through: no service tag, or does not match saved instance id
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk if [ $? = 0 ]; then
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk if [ ! -x /usr/bin/stclient ]; then
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
e9958a6c9e7427ed38c0957f2c72bde3068b0f3bjpk /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # If a labeld door exists, check for a labeld process and exit
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -z "$SMF_FMRI" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: this script can only be invoked by smf(5)"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # A sign of trying temporary enablement...no-no
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Temporarily enabling Trusted Extensions is not allowed."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before enabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # start daemon proccess so our service doesn't go into
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # maintenance state
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must reboot and configure Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Support jumpstart etc
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Setup dependent services
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must configure Trusted Extensions before booting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before disabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Stop Trusted services.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # Uncomment audio, usb, removable-media, and hotpluggable device
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # entries in /etc/logindevperm.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Remove sys_labeling from /etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Stopped. Will take effect at next boot."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "Usage: $0 { start | stop }"