svc-labeld revision f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# CDDL HEADER START
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# The contents of this file are subject to the terms of the
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# Common Development and Distribution License (the "License").
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# You may not use this file except in compliance with the License.
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# See the License for the specific language governing permissions
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# and limitations under the License.
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# When distributing Covered Code, include this CDDL HEADER in each
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# If applicable, add the following below this CDDL HEADER, with the
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# fields enclosed by brackets "[]" replaced with your own identifying
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# information: Portions Copyright [yyyy] [name of copyright owner]
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# CDDL HEADER END
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa# Use is subject to license terms.
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa#ident "%Z%%M% %I% %E% SMI"
f0264afd33a980b6584747fc8159ee950805d9e3Eugen Kuksa echo "$0: invalid syntax"
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "$0: invalid syntax: -R allowed for start method only"
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa echo "$0: invalid -R rootpath dir specified"
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa echo "$0: not supported in a local zone"
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa # Comment out audio and usb device entries in /etc/logindevperm.
366ce8d807067a97613cb23d49105d8a093c5015Eugen Kuksa if [ -f $LOGINDEVPERM ]; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
4ec9d8b62c3c1a001548eb0883b6f81e00c391a0Eugen Kuksa cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svcadm enable -s svc:/network/tnd:default
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svccfg -s svc:/application/x11/x11-server \
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa # Run bsmconv so audit and device allocation is enabled by
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa# For Trusted Extensions, make nscd service transient in local zones.
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa if /bin/svcprop -q -c -p startd/duration $nscd ; then
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa duration=`/bin/svcprop -c -p startd/duration $nscd`
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa /usr/sbin/svccfg -s $nscd addpg startd framework
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ ! -f ${ROOT_PATH}/etc/system ]; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ $? -ne 0 ]; then
4634cde5d3428bd5ab34b8212ac2f4637cdfff6fEugen Kuksa echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
2dbc668d1e44c95db1857d3968bcde7517852beaEugen Kuksa # If a labeld door exists, check for a labeld process and exit
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa if [ -r /var/tsol/doors/labeld ]; then
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa if [ -z "$SMF_FMRI" ]; then
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa echo "$0: this script can only be invoked by smf(5)"
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # A sign of trying temporary enablement...no-no
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa echo "$0: Temporarily enabling Trusted Extensions is not allowed."
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # Make changes to enable Trusted Extensions
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa echo "$0: already enabled. Exiting."
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa echo "$0: Must remove zones before enabling Trusted Extensions."
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # start daemon proccess so our service doesn't go into
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # maintenance state
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa echo "$0: Started. Must reboot and configure Trusted Extensions."
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # Support jumpstart etc
4ec9d8b62c3c1a001548eb0883b6f81e00c391a0Eugen Kuksa # Make changes to enable Trusted Extensions
486df98bbf3348cfb96e93c3e499d12435880bb5Eugen Kuksa grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa echo "$0: already enabled. Exiting."
486df98bbf3348cfb96e93c3e499d12435880bb5Eugen Kuksa # Setup dependent services
486df98bbf3348cfb96e93c3e499d12435880bb5Eugen Kuksa cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa /usr/sbin/svcadm enable -s svc:/system/labeld:default
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "$0: Started. Must configure Trusted Extensions before booting."
486df98bbf3348cfb96e93c3e499d12435880bb5Eugen Kuksa tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
dd553f2f8b8abb774ba64a4fb9ebe3abea9f7f17Eugen Kuksa /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "$0: Must remove zones before disabling Trusted Extensions."
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa # Stop Trusted services.
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
b51057b860560bf3ee454c03a121af3d5d34f482Eugen Kuksa # Uncomment audio and usb device entries in /etc/logindevperm.
486df98bbf3348cfb96e93c3e499d12435880bb5Eugen Kuksa if [ -f $LOGINDEVPERM ]; then
5efadb4662f2a63d5f5f1a5b303ab7c3371069a8Eugen Kuksa sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
b4ac7fd47818fbcba8d344e3de41ca62e1473b94Eugen Kuksa line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
6d055d16c7620b7804b6a46cb481d00b3dbb5007Eugen Kuksa sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
daf3e28fff47a65b53d6fb65155301763b9f166eEugen Kuksa # Remove sys_labeling from /etc/system
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "$0: Stopped. Will take effect at next boot."
28001d576e67ba46ed481c5695f1e0827ff26007Eugen Kuksa echo "Usage: $0 { start | stop }"