svc-labeld revision 269f47de02761bab3b7b28e2007a2bac34f629cc
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#!/sbin/sh
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# CDDL HEADER START
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# The contents of this file are subject to the terms of the
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# Common Development and Distribution License (the "License").
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# You may not use this file except in compliance with the License.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# or http://www.opensolaris.org/os/licensing.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# See the License for the specific language governing permissions
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# and limitations under the License.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# When distributing Covered Code, include this CDDL HEADER in each
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# If applicable, add the following below this CDDL HEADER, with the
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# fields enclosed by brackets "[]" replaced with your own identifying
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# information: Portions Copyright [yyyy] [name of copyright owner]
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# CDDL HEADER END
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose. /lib/svc/share/smf_include.sh
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit BoseROOT_PATH=""
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boseif [ $# -gt 1 ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ $# -ne 3 -o "$2" != "-R" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$0: invalid syntax"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose exit $SMF_EXIT_ERR_CONFIG
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ "$3" != "/" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose ROOT_PATH=$3
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosefi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boseif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$0: invalid syntax: -R allowed for start method only"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose exit $SMF_EXIT_ERR_CONFIG
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosefi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boseif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$0: invalid -R rootpath dir specified"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose exit $SMF_EXIT_ERR_CONFIG
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosefi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boseif smf_is_nonglobalzone; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$0: not supported in a local zone"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose exit $SMF_EXIT_ERR_CONFIG
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosefi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boserewrite_logindev()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose from="$1"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose to="$2"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Comment out audio, usb, removable-media, and hotpluggable device
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # entries in /etc/logindevperm.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ ! -f $LOGINDEVPERM ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose return
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose for line in \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose "/dev/sound/" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose "/dev/removable-media/" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose "/dev/hotpluggable/" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose "/dev/usb/\[0-9a-f\]" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose ; do
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose $LOGINDEVPERM > /tmp/tmp.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose cp /tmp/tmp.$$ $LOGINDEVPERM
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose done
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose rm -f /tmp/tmp.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_logindev()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose rewrite_logindev "" "#"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_otherservices()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Setup dependent services
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm enable -s svc:/network/tnd:default
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose__ENABLE_OTHERS
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_audit_devalloc()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Ensure auditing and device allocation are enabled by
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # default with Trusted Extensions.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "Starting auditd ..."
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/audit -s
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose else
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/audit -s
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose_ENABLE_AUDITD
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_nscd()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# For Trusted Extensions, make nscd service transient in local zones.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosecat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ `/sbin/zonename` != "global" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose nscd="svc:/system/name-service-cache"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose duration=""
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if /bin/svcprop -q -c -p startd/duration $nscd ; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose duration=`/bin/svcprop -c -p startd/duration $nscd`
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ "$duration" != "transient" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svccfg -s $nscd addpg startd framework
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svccfg -s $nscd setprop \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose startd/duration = astring: transient
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /usr/sbin/svcadm refresh $nscd
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose_DEL_LOCAL_NSCD
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_bootupd()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /sbin/bootadm update-archive
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose else
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose /sbin/bootadm update-archive -R $ROOT_PATH
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosesetup_tx_changes(){
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose# No comments or blanks lines allowed in entries below
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose#
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosecat > ${TX_ENTRIES} << EOF
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtlogin account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtlogin account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtsession account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtsession account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosegdm account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosegdm account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosexscreensaver account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosexscreensaver account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosepasswd account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosepasswd account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtpasswd account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedtpasswd account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosetsoljds-tstripe account requisite pam_roles.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosetsoljds-tstripe account required pam_unix_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Boseother account required pam_tsol_account.so.1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit BoseEOF
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose}
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bosedo_addpam()
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose{
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose PAM_TMP=/tmp/pam_conf.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose TX_ENTRIES=$PAM_TMP/sct.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose PAM_DEST=$ROOT_PATH/etc/pam.conf
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose setup_tx_changes
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # verify that pam.conf file exists...
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ ! -f ${PAM_DEST} ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$0: ${PAM_DEST} not found; aborting"
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose exit $SMF_EXIT_ERR_FATAL
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose #
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Update pam.conf to append Trusted Extensions entries if not
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # already present.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose #
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose rm -f /tmp/pamconf.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose while read e1 e2 e3 e4 e5
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose do
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # If this is the 'other' entry, add it unless it already
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # exists.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ $e1 = "other" ]; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose grep \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose $PAM_DEST >/dev/null 2>&1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ $? = 1 ] ; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Doesn't exist, enter into pam.conf
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$e1\t$e2 $e3\t\t$e4 $e5" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose >> /tmp/pamconf.$$
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose fi
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose else
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # Add other entries unless they already have a
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose # stack of their own.
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose grep "^[# ]*$e1[ ][ ]*$e2[ ]" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose $PAM_DEST >/dev/null 2>&1
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose if [ $? = 1 ] ; then
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose echo "$e1\t$e2 $e3\t\t$e4 $e5" \
1d1a0a019d8d4d9ab0f51ada03604cd2cada287eSumit Bose >> /tmp/pamconf.$$
fi
fi
done < ${TX_ENTRIES}
# Append TX lines if any were not present already.
if [ -f /tmp/pamconf.$$ ] ; then
echo "# Entries for Trusted Extensions" >> $PAM_DEST
cat /tmp/pamconf.$$ >> $PAM_DEST
echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
echo "$0: please examine/update any new entries"
rm -f /tmp/pamconf.$$
fi
rm -rf $PAM_TMP
}
do_pamremove()
{
PAM_TMP=/tmp/pam_conf.$$
TX_ENTRIES=$PAM_TMP/sct.$$
PAM_DEST=$ROOT_PATH/etc/pam.conf
TMPFILE=$PAM_TMP/pam.conf
mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
# verify that pam.conf file exists...
if [ ! -f ${PAM_DEST} ]; then
echo "$0: ${PAM_DEST} not found; aborting"
exit $SMF_EXIT_ERR_FATAL
fi
grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "$0: pam_tsol_account module not present,"
echo "$0: No changes were made to $PAM_DEST."
return
fi
grep -v pam_tsol_account $PAM_DEST > $TMPFILE
echo "$0: $PAM_DEST "tsol" entries removed"
cp $TMPFILE $PAM_DEST
rm -rf $PAM_TMP
}
do_commonstart()
{
echo "$0: Updating $ROOT_PATH/etc/system..."
if [ ! -f ${ROOT_PATH}/etc/system ]; then
touch ${ROOT_PATH}/etc/system
fi
# Set sys_labeling in etc/system
grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
echo "set sys_labeling=1" >> /tmp/etc.system.$$
mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
# Setup dependent services
do_otherservices
do_logindev
do_audit_devalloc
do_nscd
do_addpam
do_bootupd
}
do_servicetag_register()
{
ROOTDIR=$1
SOL_ARCH=`/sbin/uname -p`
SOL_VERS=`/sbin/uname -r`
TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
if [ ! -x /usr/bin/stclient ]; then
return
fi
# if already registered then do nothing more here
inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
if [ -n "$inst" ]; then
# this instance id was saved in a SMF property
/usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
if [ $? = 0 ]; then
# matching service tag found, so do nothing
return
else
# no match for instance id saved in SMF property
/usr/sbin/svccfg -s $SMF_FMRI delprop \
labeld/svctag_inst
/usr/sbin/svcadm refresh $SMF_FMRI
fi
fi
# fall through: no service tag, or does not match saved instance id
# determine the urn of the parent (Solaris)
SOL_PROD_URN=""
case $SOL_VERS in
5.11)
SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
;;
5.10)
SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
;;
esac
# add the service tag
RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \
-e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \
-m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
if [ $? = 0 ]; then
# save instance id in SMF property
inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'`
/usr/sbin/svccfg -s $SMF_FMRI setprop \
labeld/svctag_inst = astring: "$inst"
/usr/sbin/svcadm refresh $SMF_FMRI
fi
}
do_servicetag_delete()
{
if [ ! -x /usr/bin/stclient ]; then
return
fi
inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
if [ -n "$inst" ]; then
# delete service tag
/usr/bin/stclient -d -i $inst
# delete saved instance id
/usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
/usr/sbin/svcadm refresh $SMF_FMRI
fi
}
daemon_start()
{
# If a labeld door exists, check for a labeld process and exit
# if the daemon is already running.
if [ -r /var/tsol/doors/labeld ]; then
if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
echo "$0: labeld is already running"
exit $SMF_EXIT_ERR_FATAL
fi
fi
/usr/bin/rm -f /var/tsol/doors/labeld
/usr/lib/labeld
}
PATH=/usr/sbin:/usr/bin; export PATH
case "$1" in
'start')
if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
# native
if [ -z "$SMF_FMRI" ]; then
echo "$0: this script can only be invoked by smf(5)"
exit $SMF_EXIT_ERR_NOSMF
fi
tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
if [ "$tx_enabled" = "false" ]; then
# A sign of trying temporary enablement...no-no
echo "$0: Temporarily enabling Trusted Extensions is not allowed."
exit $SMF_EXIT_ERR_CONFIG
fi
if (smf_is_system_labeled); then
do_servicetag_register /
daemon_start
exit $SMF_EXIT_OK
fi
# Make changes to enable Trusted Extensions
grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
echo "$0: Must remove zones before enabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
do_commonstart
do_servicetag_register /
# start daemon proccess so our service doesn't go into
# maintenance state
daemon_start
echo "$0: Started. Must reboot and configure Trusted Extensions."
else
# Support jumpstart etc
# Make changes to enable Trusted Extensions
grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
# Setup dependent services
cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
/usr/sbin/svcadm enable -s svc:/system/labeld:default
__TRUSTED_ENABLE
do_commonstart
do_servicetag_register $ROOT_PATH
echo "$0: Started. Must configure Trusted Extensions before booting."
fi
;;
'stop')
tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
if [ "$tx_enabled" = "true" ]; then
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
exit $SMF_EXIT_OK
fi
if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
echo "$0: Must remove zones before disabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
# Stop Trusted services.
/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
# Uncomment audio, usb, removable-media, and hotpluggable device
# entries in /etc/logindevperm.
rewrite_logindev "#" ""
# Remove sys_labeling from /etc/system
grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
do_pamremove
do_servicetag_delete
do_bootupd
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
echo "$0: Stopped. Will take effect at next boot."
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit $SMF_EXIT_OK