svc-labeld revision f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#!/sbin/sh
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER START
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# The contents of this file are subject to the terms of the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Common Development and Distribution License (the "License").
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You may not use this file except in compliance with the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# or http://www.opensolaris.org/os/licensing.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# See the License for the specific language governing permissions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# and limitations under the License.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# When distributing Covered Code, include this CDDL HEADER in each
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# If applicable, add the following below this CDDL HEADER, with the
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# fields enclosed by brackets "[]" replaced with your own identifying
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# information: Portions Copyright [yyyy] [name of copyright owner]
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# CDDL HEADER END
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# Use is subject to license terms.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica#ident "%Z%%M% %I% %E% SMI"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica. /lib/svc/share/smf_include.sh
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaROOT_PATH=""
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaif [ $# -gt 1 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $# -ne 3 -o "$2" != "-R" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "$3" != "/" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica ROOT_PATH=$3
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricafi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid syntax: -R allowed for start method only"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricafi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: invalid -R rootpath dir specified"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricafi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaif smf_is_nonglobalzone; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: not supported in a local zone"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricafi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_logindev()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Comment out audio and usb device entries in /etc/logindevperm.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -f $LOGINDEVPERM ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica line="\/dev\/console 0600 \/dev\/sound\/\*"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cp /tmp/tmp.$$ $LOGINDEVPERM
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cp /tmp/tmp.$$ $LOGINDEVPERM
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica rm -f /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_otherservices()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Setup dependent services
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable -s svc:/network/tnd:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svccfg -s svc:/application/x11/x11-server \
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica setprop options/tcp_listen = true
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica__ENABLE_OTHERS
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_bsmconv()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Run bsmconv so audit and device allocation is enabled by
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # default with Trusted Extensions.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica BSMDIR=""
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica else
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica BSMDIR=$ROOT_PATH
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "Running bsmconv ..."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica $ROOT_PATH/etc/security/bsmconv $ROOT_PATH
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_nscd()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica# For Trusted Extensions, make nscd service transient in local zones.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ `/sbin/zonename` != "global" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica nscd="svc:/system/name-service-cache"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica duration=""
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if /bin/svcprop -q -c -p startd/duration $nscd ; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica duration=`/bin/svcprop -c -p startd/duration $nscd`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "$duration" != "transient" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svccfg -s $nscd addpg startd framework
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svccfg -s $nscd setprop \
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica startd/duration = astring: transient
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm refresh $nscd
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica_DEL_LOCAL_NSCD
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_bootupd()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /sbin/bootadm update-archive
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica else
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /sbin/bootadm update-archive -R $ROOT_PATH
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricado_commonstart()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Updating $ROOT_PATH/etc/system..."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ ! -f ${ROOT_PATH}/etc/system ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica touch ${ROOT_PATH}/etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Set sys_labeling in etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "set sys_labeling=1" >> /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -ne 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_FATAL
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_bootupd
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Setup dependent services
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_otherservices
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_logindev
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_bsmconv
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_nscd
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricadaemon_start()
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica{
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # If a labeld door exists, check for a labeld process and exit
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # if the daemon is already running.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -r /var/tsol/doors/labeld ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: labeld is already running"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_FATAL
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/bin/rm -f /var/tsol/doors/labeld
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/lib/labeld
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica}
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaPATH=/usr/sbin:/usr/bin; export PATH
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricacase "$1" in
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica'start')
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # native
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -z "$SMF_FMRI" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: this script can only be invoked by smf(5)"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_NOSMF
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "$tx_enabled" = "false" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # A sign of trying temporary enablement...no-no
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Temporarily enabling Trusted Extensions is not allowed."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if (smf_is_system_labeled); then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica daemon_start
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_OK
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -eq 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_OK
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before enabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_commonstart
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # start daemon proccess so our service doesn't go into
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # maintenance state
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica daemon_start
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must reboot and configure Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica else
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Support jumpstart etc
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Make changes to enable Trusted Extensions
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -eq 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: already enabled. Exiting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_OK
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Setup dependent services
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm enable -s svc:/system/labeld:default
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica__TRUSTED_ENABLE
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_commonstart
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Started. Must configure Trusted Extensions before booting."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica ;;
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica'stop')
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "$tx_enabled" = "true" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_OK
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Must remove zones before disabling Trusted Extensions."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_CONFIG
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Stop Trusted services.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Uncomment audio and usb device entries in /etc/logindevperm.
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ -f $LOGINDEVPERM ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica line="\/dev\/console 0600 \/dev\/sound\/\*"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cp /tmp/tmp.$$ $LOGINDEVPERM
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica cp /tmp/tmp.$$ $LOGINDEVPERM
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica rm -f /tmp/tmp.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica # Remove sys_labeling from /etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica if [ $? -eq 0 ]; then
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit $SMF_EXIT_ERR_FATAL
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica fi
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica do_bootupd
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "$0: Stopped. Will take effect at next boot."
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica ;;
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica*)
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica echo "Usage: $0 { start | stop }"
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica exit 1
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica ;;
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaesac
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01ricaexit $SMF_EXIT_OK
f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01rica