svc-labeld revision c64380fd28a9c6885abd420225a75a57e46f6b75
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "%Z%%M% %I% %E% SMI"
ROOT_PATH=""
if [ $# -gt 1 ]; then
echo "$0: invalid syntax"
exit $SMF_EXIT_ERR_CONFIG
fi
if [ "$3" != "/" ]; then
ROOT_PATH=$3
fi
fi
echo "$0: invalid syntax: -R allowed for start method only"
exit $SMF_EXIT_ERR_CONFIG
fi
if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
echo "$0: invalid -R rootpath dir specified"
exit $SMF_EXIT_ERR_CONFIG
fi
if smf_is_nonglobalzone; then
echo "$0: not supported in a local zone"
exit $SMF_EXIT_ERR_CONFIG
fi
{
from="$1"
to="$2"
# Comment out audio, usb, removable-media, and hotpluggable device
# entries in /etc/logindevperm.
if [ ! -f $LOGINDEVPERM ]; then
return
fi
; do
cp /tmp/tmp.$$ $LOGINDEVPERM
done
}
{
rewrite_logindev "" "#"
}
{
# Setup dependent services
cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
/usr/sbin/svccfg -s svc:/application/x11/x11-server \
setprop options/tcp_listen = true
}
{
# Run bsmconv so audit and device allocation is enabled by
# default with Trusted Extensions.
BSMDIR=""
else
fi
echo "Running bsmconv ..."
}
do_nscd()
{
# For Trusted Extensions, make nscd service transient in local zones.
cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
nscd="svc:/system/name-service-cache"
duration=""
fi
fi
fi
}
{
else
fi
fi
}
#
# No comments or blanks lines allowed in entries below
#
cat > ${TX_ENTRIES} << EOF
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_unix_account.so.1
dtsession account requisite pam_roles.so.1
dtsession account required pam_unix_account.so.1
gdm account requisite pam_roles.so.1
gdm account required pam_unix_account.so.1
xscreensaver account requisite pam_roles.so.1
xscreensaver account required pam_unix_account.so.1
passwd account requisite pam_roles.so.1
passwd account required pam_unix_account.so.1
dtpasswd account requisite pam_roles.so.1
dtpasswd account required pam_unix_account.so.1
tsoljds-tstripe account requisite pam_roles.so.1
tsoljds-tstripe account required pam_unix_account.so.1
other account required pam_tsol_account.so.1
EOF
}
{
mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
# verify that pam.conf file exists...
if [ ! -f ${PAM_DEST} ]; then
echo "$0: ${PAM_DEST} not found; aborting"
exit $SMF_EXIT_ERR_FATAL
fi
#
# Update pam.conf to append Trusted Extensions entries if not
# already present.
#
do
# If this is the 'other' entry, add it unless it already
# exists.
grep \
if [ $? = 1 ] ; then
# Doesn't exist, enter into pam.conf
fi
else
# Add other entries unless they already have a
# stack of their own.
if [ $? = 1 ] ; then
fi
fi
done < ${TX_ENTRIES}
# Append TX lines if any were not present already.
echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
fi
}
{
mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
# verify that pam.conf file exists...
if [ ! -f ${PAM_DEST} ]; then
echo "$0: ${PAM_DEST} not found; aborting"
exit $SMF_EXIT_ERR_FATAL
fi
if [ $? -ne 0 ]; then
echo "$0: pam_tsol_account module not present,"
echo "$0: No changes were made to $PAM_DEST."
return
fi
}
{
echo "$0: Updating $ROOT_PATH/etc/system..."
fi
if [ $? -ne 0 ]; then
echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
# Setup dependent services
}
{
# If a labeld door exists, check for a labeld process and exit
# if the daemon is already running.
echo "$0: labeld is already running"
exit $SMF_EXIT_ERR_FATAL
fi
fi
}
case "$1" in
'start')
# native
if [ -z "$SMF_FMRI" ]; then
echo "$0: this script can only be invoked by smf(5)"
exit $SMF_EXIT_ERR_NOSMF
fi
if [ "$tx_enabled" = "false" ]; then
# A sign of trying temporary enablement...no-no
echo "$0: Temporarily enabling Trusted Extensions is not allowed."
exit $SMF_EXIT_ERR_CONFIG
fi
if (smf_is_system_labeled); then
exit $SMF_EXIT_OK
fi
# Make changes to enable Trusted Extensions
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
echo "$0: Must remove zones before enabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
# start daemon proccess so our service doesn't go into
# maintenance state
echo "$0: Started. Must reboot and configure Trusted Extensions."
else
# Support jumpstart etc
# Make changes to enable Trusted Extensions
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
# Setup dependent services
echo "$0: Started. Must configure Trusted Extensions before booting."
fi
;;
'stop')
if [ "$tx_enabled" = "true" ]; then
exit $SMF_EXIT_OK
fi
echo "$0: Must remove zones before disabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
# Stop Trusted services.
# Uncomment audio, usb, removable-media, and hotpluggable device
# entries in /etc/logindevperm.
rewrite_logindev "#" ""
if [ $? -eq 0 ]; then
echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
echo "$0: Stopped. Will take effect at next boot."
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit $SMF_EXIT_OK