svc-labeld revision 269f47de02761bab3b7b28e2007a2bac34f629cc
f743002678eb67b99bbc29fee116b65d9530fec0wrowe#!/sbin/sh
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg#
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem# CDDL HEADER START
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic#
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# The contents of this file are subject to the terms of the
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# Common Development and Distribution License (the "License").
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# You may not use this file except in compliance with the License.
4da61833a1cbbca94094f9653fd970582b97a72etrawick#
4da61833a1cbbca94094f9653fd970582b97a72etrawick# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
4da61833a1cbbca94094f9653fd970582b97a72etrawick# or http://www.opensolaris.org/os/licensing.
4da61833a1cbbca94094f9653fd970582b97a72etrawick# See the License for the specific language governing permissions
4da61833a1cbbca94094f9653fd970582b97a72etrawick# and limitations under the License.
4789804be088bcd86ae637a29cdb7fda25169521jailletc#
4789804be088bcd86ae637a29cdb7fda25169521jailletc# When distributing Covered Code, include this CDDL HEADER in each
4789804be088bcd86ae637a29cdb7fda25169521jailletc# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
4789804be088bcd86ae637a29cdb7fda25169521jailletc# If applicable, add the following below this CDDL HEADER, with the
e50c3026198fd496f183cda4c32a202925476778covener# fields enclosed by brackets "[]" replaced with your own identifying
e50c3026198fd496f183cda4c32a202925476778covener# information: Portions Copyright [yyyy] [name of copyright owner]
e50c3026198fd496f183cda4c32a202925476778covener#
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# CDDL HEADER END
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin#
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic#
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic. /lib/svc/share/smf_include.sh
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavicROOT_PATH=""
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavicif [ $# -gt 1 ]; then
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic if [ $# -ne 3 -o "$2" != "-R" ]; then
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic echo "$0: invalid syntax"
69301145375a889e7e37caf7cc7321ac0f91801erpluem exit $SMF_EXIT_ERR_CONFIG
69301145375a889e7e37caf7cc7321ac0f91801erpluem fi
69301145375a889e7e37caf7cc7321ac0f91801erpluem if [ "$3" != "/" ]; then
506bfe33206b2fece40ef25f695af39dd4130facjkaluza ROOT_PATH=$3
506bfe33206b2fece40ef25f695af39dd4130facjkaluza fi
506bfe33206b2fece40ef25f695af39dd4130facjkaluzafi
506bfe33206b2fece40ef25f695af39dd4130facjkaluzaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
d58a848a016d401b965111e50ef829e1641f7834minfrin echo "$0: invalid syntax: -R allowed for start method only"
d58a848a016d401b965111e50ef829e1641f7834minfrin exit $SMF_EXIT_ERR_CONFIG
d58a848a016d401b965111e50ef829e1641f7834minfrinfi
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sfif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf echo "$0: invalid -R rootpath dir specified"
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf exit $SMF_EXIT_ERR_CONFIG
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicfi
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavicif smf_is_nonglobalzone; then
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic echo "$0: not supported in a local zone"
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic exit $SMF_EXIT_ERR_CONFIG
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicfi
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavicrewrite_logindev()
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic{
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic from="$1"
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic to="$2"
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic # Comment out audio, usb, removable-media, and hotpluggable device
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic # entries in /etc/logindevperm.
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic if [ ! -f $LOGINDEVPERM ]; then
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener return
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener fi
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener for line in \
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener "/dev/sound/" \
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener "/dev/removable-media/" \
44ff304057225e944e220e981d434a046d14cf06covener "/dev/hotpluggable/" \
44ff304057225e944e220e981d434a046d14cf06covener "/dev/usb/\[0-9a-f\]" \
44ff304057225e944e220e981d434a046d14cf06covener ; do
44ff304057225e944e220e981d434a046d14cf06covener sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \
5d1ba75b8794925e67591c209085a49279791de9covener $LOGINDEVPERM > /tmp/tmp.$$
5d1ba75b8794925e67591c209085a49279791de9covener cp /tmp/tmp.$$ $LOGINDEVPERM
5d1ba75b8794925e67591c209085a49279791de9covener done
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand rm -f /tmp/tmp.$$
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand}
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand
032982212dbcc7c3cce95bf89c503bb56e185ac7kbranddo_logindev()
caad2986f81ab263f7af41467dd622dc9add17f3ylavic{
caad2986f81ab263f7af41467dd622dc9add17f3ylavic rewrite_logindev "" "#"
caad2986f81ab263f7af41467dd622dc9add17f3ylavic}
caad2986f81ab263f7af41467dd622dc9add17f3ylavic
45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletcdo_otherservices()
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton{
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton # Setup dependent services
2165214331e4afafca4048f66f303d0253d7b001covener cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem /usr/sbin/svcadm enable -s svc:/network/tnd:default
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
1e2d421a36999d292042a5539971070d54aa6c63ylavic /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
1e2d421a36999d292042a5539971070d54aa6c63ylavic__ENABLE_OTHERS
1e2d421a36999d292042a5539971070d54aa6c63ylavic
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh}
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedoohdo_audit_devalloc()
0b67eb8568cd58bb77082703951679b42cf098actrawick{
0b67eb8568cd58bb77082703951679b42cf098actrawick # Ensure auditing and device allocation are enabled by
0b67eb8568cd58bb77082703951679b42cf098actrawick # default with Trusted Extensions.
0b67eb8568cd58bb77082703951679b42cf098actrawick if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener echo "Starting auditd ..."
09c87c777bed1655621bb20e1c46cb6b1a63279dcovener /usr/sbin/audit -s
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic else
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
3060ce7f798fbda7999cd4ddf89b525d2b294185covener /usr/sbin/audit -s
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic_ENABLE_AUDITD
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic fi
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc}
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc
e466c40e1801982602ee0200c9e8b61cc148742djailletcdo_nscd()
e466c40e1801982602ee0200c9e8b61cc148742djailletc{
457468b82e59d01eba00dd9d0817309c8f5e414ejim# For Trusted Extensions, make nscd service transient in local zones.
457468b82e59d01eba00dd9d0817309c8f5e414ejimcat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
457468b82e59d01eba00dd9d0817309c8f5e414ejim if [ `/sbin/zonename` != "global" ]; then
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton nscd="svc:/system/name-service-cache"
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton duration=""
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem if /bin/svcprop -q -c -p startd/duration $nscd ; then
15660979a30d251681463de2e0584853890082accovener duration=`/bin/svcprop -c -p startd/duration $nscd`
15660979a30d251681463de2e0584853890082accovener fi
49dacedb6c387b786b7911082ff35121a45f414bcovener if [ "$duration" != "transient" ]; then
49dacedb6c387b786b7911082ff35121a45f414bcovener /usr/sbin/svccfg -s $nscd addpg startd framework
cfd9415521847b2f9394fad04fb701cfb955f503rjung /usr/sbin/svccfg -s $nscd setprop \
cfd9415521847b2f9394fad04fb701cfb955f503rjung startd/duration = astring: transient
cfd9415521847b2f9394fad04fb701cfb955f503rjung /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe /usr/sbin/svcadm refresh $nscd
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe fi
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe fi
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe_DEL_LOCAL_NSCD
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe}
8491e0600f69b0405e156ea8a419653c065c645bcovener
63b9f1f5880391261705f696d7d65507bbe9ace3covenerdo_bootupd()
63b9f1f5880391261705f696d7d65507bbe9ace3covener{
63b9f1f5880391261705f696d7d65507bbe9ace3covener if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
49dacedb6c387b786b7911082ff35121a45f414bcovener if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
49dacedb6c387b786b7911082ff35121a45f414bcovener /sbin/bootadm update-archive
49dacedb6c387b786b7911082ff35121a45f414bcovener else
49dacedb6c387b786b7911082ff35121a45f414bcovener /sbin/bootadm update-archive -R $ROOT_PATH
3c990331fc6702119e4f5b8ba9eae3021aea5265jim fi
3c990331fc6702119e4f5b8ba9eae3021aea5265jim fi
3c990331fc6702119e4f5b8ba9eae3021aea5265jim}
3c990331fc6702119e4f5b8ba9eae3021aea5265jim
fc42512879dd0504532f52fe5d0d0383dda96a1eniqsetup_tx_changes(){
fc42512879dd0504532f52fe5d0d0383dda96a1eniq#
fc42512879dd0504532f52fe5d0d0383dda96a1eniq# No comments or blanks lines allowed in entries below
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq#
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niqcat > ${TX_ENTRIES} << EOF
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niqdtlogin account requisite pam_roles.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcdtlogin account required pam_unix_account.so.1
983528026996668ea295be95aedb9c7a346af470ylavicdtsession account requisite pam_roles.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcdtsession account required pam_unix_account.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcgdm account requisite pam_roles.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenergdm account required pam_unix_account.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenerxscreensaver account requisite pam_roles.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenerxscreensaver account required pam_unix_account.so.1
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluempasswd account requisite pam_roles.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerpasswd account required pam_unix_account.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerdtpasswd account requisite pam_roles.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerdtpasswd account required pam_unix_account.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenertsoljds-tstripe account requisite pam_roles.so.1
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluemtsoljds-tstripe account required pam_unix_account.so.1
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrinother account required pam_tsol_account.so.1
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrinEOF
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin}
65967d05f839dbf27cf91d91fa79585eeae19660minfrin
65967d05f839dbf27cf91d91fa79585eeae19660minfrindo_addpam()
65967d05f839dbf27cf91d91fa79585eeae19660minfrin{
65967d05f839dbf27cf91d91fa79585eeae19660minfrin PAM_TMP=/tmp/pam_conf.$$
8152945ae46857b170cb227e79bb799f4fc7710dminfrin TX_ENTRIES=$PAM_TMP/sct.$$
8152945ae46857b170cb227e79bb799f4fc7710dminfrin PAM_DEST=$ROOT_PATH/etc/pam.conf
8152945ae46857b170cb227e79bb799f4fc7710dminfrin
8152945ae46857b170cb227e79bb799f4fc7710dminfrin mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
75f5c2db254c0167a0e396254460de09b775d203trawick setup_tx_changes
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick # verify that pam.conf file exists...
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph if [ ! -f ${PAM_DEST} ]; then
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph echo "$0: ${PAM_DEST} not found; aborting"
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph exit $SMF_EXIT_ERR_FATAL
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick fi
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick #
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick # Update pam.conf to append Trusted Extensions entries if not
54d750a84a175d8e338880514d440773eb986b50covener # already present.
54d750a84a175d8e338880514d440773eb986b50covener #
54d750a84a175d8e338880514d440773eb986b50covener rm -f /tmp/pamconf.$$
54d750a84a175d8e338880514d440773eb986b50covener while read e1 e2 e3 e4 e5
54d750a84a175d8e338880514d440773eb986b50covener do
54d750a84a175d8e338880514d440773eb986b50covener # If this is the 'other' entry, add it unless it already
54d750a84a175d8e338880514d440773eb986b50covener # exists.
54d750a84a175d8e338880514d440773eb986b50covener if [ $e1 = "other" ]; then
7a3aa12f0eda24793ee26d6a179bd53132e9dae8covener grep \
54d750a84a175d8e338880514d440773eb986b50covener"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
54d750a84a175d8e338880514d440773eb986b50covener $PAM_DEST >/dev/null 2>&1
83b50288fa7d306324bba68832011ea08f5c7832covener if [ $? = 1 ] ; then
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick # Doesn't exist, enter into pam.conf
83b50288fa7d306324bba68832011ea08f5c7832covener echo "$e1\t$e2 $e3\t\t$e4 $e5" \
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick >> /tmp/pamconf.$$
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick fi
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick else
2e15620d724fb8e3a5be183b917359a2fd6e9468covener # Add other entries unless they already have a
2e15620d724fb8e3a5be183b917359a2fd6e9468covener # stack of their own.
2e15620d724fb8e3a5be183b917359a2fd6e9468covener grep "^[# ]*$e1[ ][ ]*$e2[ ]" \
2e15620d724fb8e3a5be183b917359a2fd6e9468covener $PAM_DEST >/dev/null 2>&1
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener if [ $? = 1 ] ; then
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener echo "$e1\t$e2 $e3\t\t$e4 $e5" \
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener >> /tmp/pamconf.$$
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener fi
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener fi
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener done < ${TX_ENTRIES}
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener # Append TX lines if any were not present already.
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd if [ -f /tmp/pamconf.$$ ] ; then
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd echo "# Entries for Trusted Extensions" >> $PAM_DEST
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd cat /tmp/pamconf.$$ >> $PAM_DEST
179565be4043d7e5f9161aa75271fa0a001866d9covener echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
179565be4043d7e5f9161aa75271fa0a001866d9covener echo "$0: please examine/update any new entries"
179565be4043d7e5f9161aa75271fa0a001866d9covener rm -f /tmp/pamconf.$$
111436a32ba1254291e4883292fb116d15fe8f64covener fi
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener rm -rf $PAM_TMP
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener}
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawickdo_pamremove()
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick{
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick PAM_TMP=/tmp/pam_conf.$$
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz TX_ENTRIES=$PAM_TMP/sct.$$
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz PAM_DEST=$ROOT_PATH/etc/pam.conf
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz TMPFILE=$PAM_TMP/pam.conf
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza
efe780dcf13b2b95effabf897d694d8f23feac74trawick # verify that pam.conf file exists...
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin if [ ! -f ${PAM_DEST} ]; then
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin echo "$0: ${PAM_DEST} not found; aborting"
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin exit $SMF_EXIT_ERR_FATAL
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza fi
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza
ba050a6f942b9fa0e81ed73437588005c569655ccovener grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
ba050a6f942b9fa0e81ed73437588005c569655ccovener if [ $? -ne 0 ]; then
ba050a6f942b9fa0e81ed73437588005c569655ccovener echo "$0: pam_tsol_account module not present,"
ba050a6f942b9fa0e81ed73437588005c569655ccovener echo "$0: No changes were made to $PAM_DEST."
135ddda3a989215d2bedbcf1529bfb269c3eda23niq return
135ddda3a989215d2bedbcf1529bfb269c3eda23niq fi
135ddda3a989215d2bedbcf1529bfb269c3eda23niq
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh grep -v pam_tsol_account $PAM_DEST > $TMPFILE
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh echo "$0: $PAM_DEST "tsol" entries removed"
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh cp $TMPFILE $PAM_DEST
efe780dcf13b2b95effabf897d694d8f23feac74trawick
793214f67dede32edfd9ee96c664ead04d175cbbjfclere rm -rf $PAM_TMP
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin}
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovenerdo_commonstart()
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener{
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza echo "$0: Updating $ROOT_PATH/etc/system..."
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza if [ ! -f ${ROOT_PATH}/etc/system ]; then
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza touch ${ROOT_PATH}/etc/system
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza fi
56589be3d7a3e9343370df240010c6928cc78b39jkaluza
56589be3d7a3e9343370df240010c6928cc78b39jkaluza # Set sys_labeling in etc/system
56589be3d7a3e9343370df240010c6928cc78b39jkaluza grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc echo "set sys_labeling=1" >> /tmp/etc.system.$$
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc if [ $? -ne 0 ]; then
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick exit $SMF_EXIT_ERR_FATAL
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick fi
4d12805e6c18253040223ea637acd6b3b3c18f60jorton
4d12805e6c18253040223ea637acd6b3b3c18f60jorton # Setup dependent services
4d12805e6c18253040223ea637acd6b3b3c18f60jorton do_otherservices
85eacfc96a04547ef25aabbc06440039715084c2jorton
85eacfc96a04547ef25aabbc06440039715084c2jorton do_logindev
e5d909f2b06bd880fb3675cd49363df981caa631trawick do_audit_devalloc
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener do_nscd
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener do_addpam
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener
cb666b29f81df1d11d65002250153353568021fccovener do_bootupd
cb666b29f81df1d11d65002250153353568021fccovener}
cb666b29f81df1d11d65002250153353568021fccovener
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covenerdo_servicetag_register()
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener{
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener ROOTDIR=$1
75a230a728338d84dcfe81edd375352f34de22d0covener SOL_ARCH=`/sbin/uname -p`
75a230a728338d84dcfe81edd375352f34de22d0covener SOL_VERS=`/sbin/uname -r`
75a230a728338d84dcfe81edd375352f34de22d0covener TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener if [ ! -x /usr/bin/stclient ]; then
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener return
63a5ea80bddcc84a462e40f402b4f330e0e05411covener fi
63a5ea80bddcc84a462e40f402b4f330e0e05411covener
63a5ea80bddcc84a462e40f402b4f330e0e05411covener # if already registered then do nothing more here
63a5ea80bddcc84a462e40f402b4f330e0e05411covener inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
65a4e663b82f8bce28ac22ab2edfd7502de36998sf if [ -n "$inst" ]; then
65a4e663b82f8bce28ac22ab2edfd7502de36998sf # this instance id was saved in a SMF property
65a4e663b82f8bce28ac22ab2edfd7502de36998sf /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
65a4e663b82f8bce28ac22ab2edfd7502de36998sf if [ $? = 0 ]; then
c7de1955eb0eaeabf7042902476397692672d549sf # matching service tag found, so do nothing
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin return
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin else
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin # no match for instance id saved in SMF property
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin /usr/sbin/svccfg -s $SMF_FMRI delprop \
a511a29faf2ff7ead3b67680154a624effb31aafminfrin labeld/svctag_inst
a511a29faf2ff7ead3b67680154a624effb31aafminfrin /usr/sbin/svcadm refresh $SMF_FMRI
a511a29faf2ff7ead3b67680154a624effb31aafminfrin fi
a511a29faf2ff7ead3b67680154a624effb31aafminfrin fi
a511a29faf2ff7ead3b67680154a624effb31aafminfrin
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin # fall through: no service tag, or does not match saved instance id
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin # determine the urn of the parent (Solaris)
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin SOL_PROD_URN=""
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin case $SOL_VERS in
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin 5.11)
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener ;;
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener 5.10)
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes ;;
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes esac
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq
26c5829347f6a355c00f1ba0301d575056b69536niq # add the service tag
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq if [ $? = 0 ]; then
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq # save instance id in SMF property
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'`
413ee814748f37be168ff12407fa6dba0ceeabe6trawick /usr/sbin/svccfg -s $SMF_FMRI setprop \
c12917da693bae4028a1d5a5e8224bceed8c739dsf labeld/svctag_inst = astring: "$inst"
c12917da693bae4028a1d5a5e8224bceed8c739dsf /usr/sbin/svcadm refresh $SMF_FMRI
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf fi
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf}
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsfdo_servicetag_delete()
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf{
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf if [ ! -x /usr/bin/stclient ]; then
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf return
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf fi
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf
9811aed12bbc71783d2e544ccb5fecd193843eadsf if [ -n "$inst" ]; then
9811aed12bbc71783d2e544ccb5fecd193843eadsf # delete service tag
9811aed12bbc71783d2e544ccb5fecd193843eadsf /usr/bin/stclient -d -i $inst
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung # delete saved instance id
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
bd3f5647b96d378d9c75c954e3f13582af32c643sf /usr/sbin/svcadm refresh $SMF_FMRI
bd3f5647b96d378d9c75c954e3f13582af32c643sf fi
bd3f5647b96d378d9c75c954e3f13582af32c643sf}
bd3f5647b96d378d9c75c954e3f13582af32c643sf
bd3f5647b96d378d9c75c954e3f13582af32c643sf
2a7beea91d46beb41f043a84eaad060047ee04aafabiendaemon_start()
2a7beea91d46beb41f043a84eaad060047ee04aafabien{
2a7beea91d46beb41f043a84eaad060047ee04aafabien # If a labeld door exists, check for a labeld process and exit
2a7beea91d46beb41f043a84eaad060047ee04aafabien # if the daemon is already running.
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf if [ -r /var/tsol/doors/labeld ]; then
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf echo "$0: labeld is already running"
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf exit $SMF_EXIT_ERR_FATAL
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf fi
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf fi
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf /usr/bin/rm -f /var/tsol/doors/labeld
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf /usr/lib/labeld
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf}
132ee6ac1c26d6e8953836316ba50734eefab47bsf
132ee6ac1c26d6e8953836316ba50734eefab47bsfPATH=/usr/sbin:/usr/bin; export PATH
132ee6ac1c26d6e8953836316ba50734eefab47bsf
85eacfc96a04547ef25aabbc06440039715084c2jortoncase "$1" in
85eacfc96a04547ef25aabbc06440039715084c2jorton'start')
85eacfc96a04547ef25aabbc06440039715084c2jorton if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick # native
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick if [ -z "$SMF_FMRI" ]; then
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick echo "$0: this script can only be invoked by smf(5)"
79c5787b92ac5f0e1cc82393816c77a006399316trawick exit $SMF_EXIT_ERR_NOSMF
79c5787b92ac5f0e1cc82393816c77a006399316trawick fi
79c5787b92ac5f0e1cc82393816c77a006399316trawick
79c5787b92ac5f0e1cc82393816c77a006399316trawick tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick if [ "$tx_enabled" = "false" ]; then
79c5787b92ac5f0e1cc82393816c77a006399316trawick # A sign of trying temporary enablement...no-no
79c5787b92ac5f0e1cc82393816c77a006399316trawick echo "$0: Temporarily enabling Trusted Extensions is not allowed."
79c5787b92ac5f0e1cc82393816c77a006399316trawick exit $SMF_EXIT_ERR_CONFIG
79c5787b92ac5f0e1cc82393816c77a006399316trawick fi
79c5787b92ac5f0e1cc82393816c77a006399316trawick
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton if (smf_is_system_labeled); then
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton do_servicetag_register /
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton daemon_start
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton exit $SMF_EXIT_OK
536e48c08d674acac5d44929318f2ad928edc361jorton fi
536e48c08d674acac5d44929318f2ad928edc361jorton
e81785da447b469da66f218b3f0244aab507958djorton # Make changes to enable Trusted Extensions
e81785da447b469da66f218b3f0244aab507958djorton grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton if [ $? -eq 0 ]; then
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton echo "$0: already enabled. Exiting."
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton exit $SMF_EXIT_OK
53e9b27aba029b18be814df40bcf6f0428771d1efuankg fi
53e9b27aba029b18be814df40bcf6f0428771d1efuankg
53e9b27aba029b18be814df40bcf6f0428771d1efuankg if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
53e9b27aba029b18be814df40bcf6f0428771d1efuankg echo "$0: Must remove zones before enabling Trusted Extensions."
53e9b27aba029b18be814df40bcf6f0428771d1efuankg exit $SMF_EXIT_ERR_CONFIG
6bb524f1895f30265a1431afc460977d391cb36bsf fi
6bb524f1895f30265a1431afc460977d391cb36bsf
ca61ccd0c306c2c72df153688ba1b49f3eceed80sf do_commonstart
6bb524f1895f30265a1431afc460977d391cb36bsf
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin do_servicetag_register /
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin # start daemon proccess so our service doesn't go into
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin # maintenance state
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin daemon_start
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin echo "$0: Started. Must reboot and configure Trusted Extensions."
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin else
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung # Support jumpstart etc
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung # Make changes to enable Trusted Extensions
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung if [ $? -eq 0 ]; then
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung echo "$0: already enabled. Exiting."
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung exit $SMF_EXIT_OK
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung fi
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick # Setup dependent services
0827cb14e550f6f65018431c22c2c913631c8f25kbrand cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick /usr/sbin/svcadm enable -s svc:/system/labeld:default
ae600ca541efc686b34f8b1f21bd3d0741d37674covener__TRUSTED_ENABLE
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick
cfa64348224b66dd1c9979b809406c4d15b1c137fielding do_commonstart
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim do_servicetag_register $ROOT_PATH
cfa64348224b66dd1c9979b809406c4d15b1c137fielding echo "$0: Started. Must configure Trusted Extensions before booting."
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim fi
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ;;
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim
cfa64348224b66dd1c9979b809406c4d15b1c137fielding'stop')
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if [ "$tx_enabled" = "true" ]; then
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
exit $SMF_EXIT_OK
fi
if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
echo "$0: Must remove zones before disabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
# Stop Trusted services.
/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
# Uncomment audio, usb, removable-media, and hotpluggable device
# entries in /etc/logindevperm.
rewrite_logindev "#" ""
# Remove sys_labeling from /etc/system
grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
do_pamremove
do_servicetag_delete
do_bootupd
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
echo "$0: Stopped. Will take effect at next boot."
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit $SMF_EXIT_OK