svc-labeld revision 583b61f62d9b9c5ac6bbc290b4e91263dfb202b4
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER START
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# The contents of this file are subject to the terms of the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Common Development and Distribution License (the "License").
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You may not use this file except in compliance with the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# See the License for the specific language governing permissions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# and limitations under the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# When distributing Covered Code, include this CDDL HEADER in each
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# If applicable, add the following below this CDDL HEADER, with the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# fields enclosed by brackets "[]" replaced with your own identifying
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# information: Portions Copyright [yyyy] [name of copyright owner]
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER END
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Use is subject to license terms.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#ident "%Z%%M% %I% %E% SMI"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax: -R allowed for start method only"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid -R rootpath dir specified"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: not supported in a local zone"
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # Comment out audio, usb, removable-media, and hotpluggable device
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj if [ ! -f $LOGINDEVPERM ]; then
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj sed -e "s!^$from$line!$to$line!" $LOGINDEVPERM > /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Run bsmconv so audit and device allocation is enabled by
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# For Trusted Extensions, make nscd service transient in local zones.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica# No comments or blanks lines allowed in entries below
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtlogin account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtlogin account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtsession account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtsession account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricagdm account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricagdm account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaxscreensaver account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaxscreensaver account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricapasswd account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricapasswd account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtpasswd account requisite pam_roles.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricadtpasswd account required pam_unix_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4cricaother account required pam_tsol_account.so.1
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ ! -f ${PAM_DEST} ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica # Update pam.conf to append Trusted Extensions entries if not
8700009e2cc8cb186241e1fdd74973da1121ee4crica # If this is the 'other' entry, add it unless it already
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? = 1 ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? = 1 ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ -f /tmp/pamconf.$$ ] ; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ ! -f ${PAM_DEST} ]; then
8700009e2cc8cb186241e1fdd74973da1121ee4crica grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
8700009e2cc8cb186241e1fdd74973da1121ee4crica if [ $? -ne 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ ! -f ${ROOT_PATH}/etc/system ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -ne 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # If a labeld door exists, check for a labeld process and exit
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -z "$SMF_FMRI" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: this script can only be invoked by smf(5)"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # A sign of trying temporary enablement...no-no
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Temporarily enabling Trusted Extensions is not allowed."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before enabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # start daemon proccess so our service doesn't go into
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # maintenance state
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must reboot and configure Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Support jumpstart etc
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Setup dependent services
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must configure Trusted Extensions before booting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before disabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Stop Trusted services.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # Uncomment audio, usb, removable-media, and hotpluggable device
583b61f62d9b9c5ac6bbc290b4e91263dfb202b4aj # entries in /etc/logindevperm.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Remove sys_labeling from /etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Stopped. Will take effect at next boot."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "Usage: $0 { start | stop }"