svc-labeld revision f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01
0N/A#!/sbin/sh
228N/A#
0N/A# CDDL HEADER START
0N/A#
0N/A# The contents of this file are subject to the terms of the
0N/A# Common Development and Distribution License (the "License").
0N/A# You may not use this file except in compliance with the License.
0N/A#
0N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
0N/A# or http://www.opensolaris.org/os/licensing.
0N/A# See the License for the specific language governing permissions
0N/A# and limitations under the License.
0N/A#
0N/A# When distributing Covered Code, include this CDDL HEADER in each
0N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
0N/A# If applicable, add the following below this CDDL HEADER, with the
0N/A# fields enclosed by brackets "[]" replaced with your own identifying
0N/A# information: Portions Copyright [yyyy] [name of copyright owner]
0N/A#
0N/A# CDDL HEADER END
0N/A#
0N/A# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
0N/A# Use is subject to license terms.
0N/A#
0N/A#ident "%Z%%M% %I% %E% SMI"
0N/A
0N/A. /lib/svc/share/smf_include.sh
0N/A
0N/AROOT_PATH=""
0N/Aif [ $# -gt 1 ]; then
0N/A if [ $# -ne 3 -o "$2" != "-R" ]; then
366N/A echo "$0: invalid syntax"
0N/A exit $SMF_EXIT_ERR_CONFIG
0N/A fi
285N/A if [ "$3" != "/" ]; then
285N/A ROOT_PATH=$3
0N/A fi
0N/Afi
0N/Aif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
0N/A echo "$0: invalid syntax: -R allowed for start method only"
0N/A exit $SMF_EXIT_ERR_CONFIG
0N/Afi
366N/Aif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
0N/A echo "$0: invalid -R rootpath dir specified"
0N/A exit $SMF_EXIT_ERR_CONFIG
0N/Afi
0N/A
0N/Aif smf_is_nonglobalzone; then
0N/A echo "$0: not supported in a local zone"
0N/A exit $SMF_EXIT_ERR_CONFIG
0N/Afi
0N/A
0N/Ado_logindev()
0N/A{
0N/A # Comment out audio and usb device entries in /etc/logindevperm.
0N/A LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
0N/A if [ -f $LOGINDEVPERM ]; then
0N/A line="\/dev\/console 0600 \/dev\/sound\/\*"
0N/A sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
0N/A cp /tmp/tmp.$$ $LOGINDEVPERM
0N/A line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
0N/A sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
331N/A cp /tmp/tmp.$$ $LOGINDEVPERM
331N/A rm -f /tmp/tmp.$$
0N/A fi
0N/A}
0N/A
0N/Ado_otherservices()
0N/A{
0N/A # Setup dependent services
330N/A cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
0N/A /usr/sbin/svcadm enable -s svc:/network/tnd:default
0N/A /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
0N/A /usr/sbin/svccfg -s svc:/application/x11/x11-server \
0N/A setprop options/tcp_listen = true
0N/A /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
0N/A__ENABLE_OTHERS
0N/A
0N/A}
0N/A
0N/Ado_bsmconv()
0N/A{
0N/A # Run bsmconv so audit and device allocation is enabled by
0N/A # default with Trusted Extensions.
0N/A if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
0N/A BSMDIR=""
0N/A else
0N/A BSMDIR=$ROOT_PATH
0N/A fi
0N/A echo "Running bsmconv ..."
0N/A echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
0N/A $ROOT_PATH/etc/security/bsmconv $ROOT_PATH
0N/A}
0N/A
0N/Ado_nscd()
0N/A{
0N/A# For Trusted Extensions, make nscd service transient in local zones.
0N/Acat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
0N/A if [ `/sbin/zonename` != "global" ]; then
0N/A nscd="svc:/system/name-service-cache"
0N/A duration=""
0N/A if /bin/svcprop -q -c -p startd/duration $nscd ; then
0N/A duration=`/bin/svcprop -c -p startd/duration $nscd`
0N/A fi
0N/A if [ "$duration" != "transient" ]; then
0N/A /usr/sbin/svccfg -s $nscd addpg startd framework
0N/A /usr/sbin/svccfg -s $nscd setprop \
0N/A startd/duration = astring: transient
0N/A /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
0N/A /usr/sbin/svcadm refresh $nscd
0N/A fi
0N/A fi
0N/A_DEL_LOCAL_NSCD
0N/A}
0N/A
0N/Ado_bootupd()
0N/A{
0N/A if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
0N/A if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
0N/A /sbin/bootadm update-archive
0N/A else
0N/A /sbin/bootadm update-archive -R $ROOT_PATH
0N/A fi
0N/A fi
45N/A}
45N/A
0N/Ado_commonstart()
0N/A{
0N/A echo "$0: Updating $ROOT_PATH/etc/system..."
0N/A if [ ! -f ${ROOT_PATH}/etc/system ]; then
0N/A touch ${ROOT_PATH}/etc/system
0N/A fi
0N/A
0N/A # Set sys_labeling in etc/system
0N/A grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
0N/A echo "set sys_labeling=1" >> /tmp/etc.system.$$
0N/A mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
0N/A grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
0N/A if [ $? -ne 0 ]; then
echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
do_bootupd
# Setup dependent services
do_otherservices
do_logindev
do_bsmconv
do_nscd
}
daemon_start()
{
# If a labeld door exists, check for a labeld process and exit
# if the daemon is already running.
if [ -r /var/tsol/doors/labeld ]; then
if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
echo "$0: labeld is already running"
exit $SMF_EXIT_ERR_FATAL
fi
fi
/usr/bin/rm -f /var/tsol/doors/labeld
/usr/lib/labeld
}
PATH=/usr/sbin:/usr/bin; export PATH
case "$1" in
'start')
if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
# native
if [ -z "$SMF_FMRI" ]; then
echo "$0: this script can only be invoked by smf(5)"
exit $SMF_EXIT_ERR_NOSMF
fi
tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
if [ "$tx_enabled" = "false" ]; then
# A sign of trying temporary enablement...no-no
echo "$0: Temporarily enabling Trusted Extensions is not allowed."
exit $SMF_EXIT_ERR_CONFIG
fi
if (smf_is_system_labeled); then
daemon_start
exit $SMF_EXIT_OK
fi
# Make changes to enable Trusted Extensions
grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
echo "$0: Must remove zones before enabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
do_commonstart
# start daemon proccess so our service doesn't go into
# maintenance state
daemon_start
echo "$0: Started. Must reboot and configure Trusted Extensions."
else
# Support jumpstart etc
# Make changes to enable Trusted Extensions
grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: already enabled. Exiting."
exit $SMF_EXIT_OK
fi
# Setup dependent services
cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
/usr/sbin/svcadm enable -s svc:/system/labeld:default
__TRUSTED_ENABLE
do_commonstart
echo "$0: Started. Must configure Trusted Extensions before booting."
fi
;;
'stop')
tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
if [ "$tx_enabled" = "true" ]; then
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
exit $SMF_EXIT_OK
fi
if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
echo "$0: Must remove zones before disabling Trusted Extensions."
exit $SMF_EXIT_ERR_CONFIG
fi
# Stop Trusted services.
/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
# Uncomment audio and usb device entries in /etc/logindevperm.
LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
if [ -f $LOGINDEVPERM ]; then
line="\/dev\/console 0600 \/dev\/sound\/\*"
sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
cp /tmp/tmp.$$ $LOGINDEVPERM
line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
cp /tmp/tmp.$$ $LOGINDEVPERM
rm -f /tmp/tmp.$$
fi
# Remove sys_labeling from /etc/system
grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
exit $SMF_EXIT_ERR_FATAL
fi
do_bootupd
/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
echo "$0: Stopped. Will take effect at next boot."
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit $SMF_EXIT_OK