svc-labeld revision 269f47de02761bab3b7b28e2007a2bac34f629cc
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem# CDDL HEADER START
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# The contents of this file are subject to the terms of the
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# Common Development and Distribution License (the "License").
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic# You may not use this file except in compliance with the License.
4da61833a1cbbca94094f9653fd970582b97a72etrawick# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
4da61833a1cbbca94094f9653fd970582b97a72etrawick# See the License for the specific language governing permissions
4da61833a1cbbca94094f9653fd970582b97a72etrawick# and limitations under the License.
4789804be088bcd86ae637a29cdb7fda25169521jailletc# When distributing Covered Code, include this CDDL HEADER in each
4789804be088bcd86ae637a29cdb7fda25169521jailletc# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
4789804be088bcd86ae637a29cdb7fda25169521jailletc# If applicable, add the following below this CDDL HEADER, with the
e50c3026198fd496f183cda4c32a202925476778covener# fields enclosed by brackets "[]" replaced with your own identifying
e50c3026198fd496f183cda4c32a202925476778covener# information: Portions Copyright [yyyy] [name of copyright owner]
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin# CDDL HEADER END
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic echo "$0: invalid syntax"
d58a848a016d401b965111e50ef829e1641f7834minfrin echo "$0: invalid syntax: -R allowed for start method only"
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf echo "$0: invalid -R rootpath dir specified"
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic echo "$0: not supported in a local zone"
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic # Comment out audio, usb, removable-media, and hotpluggable device
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic if [ ! -f $LOGINDEVPERM ]; then
44ff304057225e944e220e981d434a046d14cf06covener sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \
2165214331e4afafca4048f66f303d0253d7b001covener cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
1e2d421a36999d292042a5539971070d54aa6c63ylavic /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
0b67eb8568cd58bb77082703951679b42cf098actrawick # Ensure auditing and device allocation are enabled by
0b67eb8568cd58bb77082703951679b42cf098actrawick if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
457468b82e59d01eba00dd9d0817309c8f5e414ejim# For Trusted Extensions, make nscd service transient in local zones.
457468b82e59d01eba00dd9d0817309c8f5e414ejimcat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem if /bin/svcprop -q -c -p startd/duration $nscd ; then
63b9f1f5880391261705f696d7d65507bbe9ace3covener if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
fc42512879dd0504532f52fe5d0d0383dda96a1eniq# No comments or blanks lines allowed in entries below
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niqdtlogin account requisite pam_roles.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcdtlogin account required pam_unix_account.so.1
983528026996668ea295be95aedb9c7a346af470ylavicdtsession account requisite pam_roles.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcdtsession account required pam_unix_account.so.1
da0442c0440caef34706e2c2f3af05cb65921cc0jailletcgdm account requisite pam_roles.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenergdm account required pam_unix_account.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenerxscreensaver account requisite pam_roles.so.1
06b8f183140c8e02e0974e938a05078b511d1603covenerxscreensaver account required pam_unix_account.so.1
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluempasswd account requisite pam_roles.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerpasswd account required pam_unix_account.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerdtpasswd account requisite pam_roles.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenerdtpasswd account required pam_unix_account.so.1
259878293a997ff49f5ddfc53d3739cbdc25444ecovenertsoljds-tstripe account requisite pam_roles.so.1
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluemtsoljds-tstripe account required pam_unix_account.so.1
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrinother account required pam_tsol_account.so.1
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph if [ ! -f ${PAM_DEST} ]; then
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick # Update pam.conf to append Trusted Extensions entries if not
54d750a84a175d8e338880514d440773eb986b50covener # If this is the 'other' entry, add it unless it already
83b50288fa7d306324bba68832011ea08f5c7832covener if [ $? = 1 ] ; then
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener if [ $? = 1 ] ; then
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd if [ -f /tmp/pamconf.$$ ] ; then
179565be4043d7e5f9161aa75271fa0a001866d9covener echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin if [ ! -f ${PAM_DEST} ]; then
ba050a6f942b9fa0e81ed73437588005c569655ccovener grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
ba050a6f942b9fa0e81ed73437588005c569655ccovener if [ $? -ne 0 ]; then
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza if [ ! -f ${ROOT_PATH}/etc/system ]; then
56589be3d7a3e9343370df240010c6928cc78b39jkaluza grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc if [ $? -ne 0 ]; then
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
75a230a728338d84dcfe81edd375352f34de22d0covener TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener if [ ! -x /usr/bin/stclient ]; then
63a5ea80bddcc84a462e40f402b4f330e0e05411covener inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
65a4e663b82f8bce28ac22ab2edfd7502de36998sf /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
65a4e663b82f8bce28ac22ab2edfd7502de36998sf if [ $? = 0 ]; then
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin # fall through: no service tag, or does not match saved instance id
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq if [ $? = 0 ]; then
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf if [ ! -x /usr/bin/stclient ]; then
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
2a7beea91d46beb41f043a84eaad060047ee04aafabien # If a labeld door exists, check for a labeld process and exit
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick if [ -z "$SMF_FMRI" ]; then
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick echo "$0: this script can only be invoked by smf(5)"
79c5787b92ac5f0e1cc82393816c77a006399316trawick tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
79c5787b92ac5f0e1cc82393816c77a006399316trawick # A sign of trying temporary enablement...no-no
79c5787b92ac5f0e1cc82393816c77a006399316trawick echo "$0: Temporarily enabling Trusted Extensions is not allowed."
e81785da447b469da66f218b3f0244aab507958djorton # Make changes to enable Trusted Extensions
e81785da447b469da66f218b3f0244aab507958djorton grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton echo "$0: already enabled. Exiting."
53e9b27aba029b18be814df40bcf6f0428771d1efuankg if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
53e9b27aba029b18be814df40bcf6f0428771d1efuankg echo "$0: Must remove zones before enabling Trusted Extensions."
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin # start daemon proccess so our service doesn't go into
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin # maintenance state
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin echo "$0: Started. Must reboot and configure Trusted Extensions."
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung # Support jumpstart etc
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung # Make changes to enable Trusted Extensions
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung echo "$0: already enabled. Exiting."
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick # Setup dependent services
0827cb14e550f6f65018431c22c2c913631c8f25kbrand cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick /usr/sbin/svcadm enable -s svc:/system/labeld:default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding echo "$0: Started. Must configure Trusted Extensions before booting."
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
exit $SMF_EXIT_OK
exit $SMF_EXIT_ERR_CONFIG
# entries in /etc/logindevperm.
echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
exit $SMF_EXIT_OK