Cross Reference: /illumos-gate/usr/src/cmd/tsol/labeld/svc-labeld

	svc-labeld revision f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#!/sbin/sh
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# CDDL HEADER START
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# The contents of this file are subject to the terms of the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# Common Development and Distribution License (the "License").
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# You may not use this file except in compliance with the License.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# or http://www.opensolaris.org/os/licensing.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# See the License for the specific language governing permissions
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# and limitations under the License.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# When distributing Covered Code, include this CDDL HEADER in each
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# If applicable, add the following below this CDDL HEADER, with the
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# fields enclosed by brackets "[]" replaced with your own identifying
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# information: Portions Copyright [yyyy] [name of copyright owner]
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# CDDL HEADER END
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# Use is subject to license terms.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync#ident  "%Z%%M% %I% %E% SMI"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync. /lib/svc/share/smf_include.sh
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncROOT_PATH=""
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncif [ $# -gt 1 ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ $# -ne 3 -o "$2" != "-R" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        echo "$0: invalid syntax"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        exit $SMF_EXIT_ERR_CONFIG
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ "$3" != "/" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        ROOT_PATH=$3
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncfi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "$0: invalid syntax: -R allowed for start method only"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    exit $SMF_EXIT_ERR_CONFIG
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncfi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "$0: invalid -R rootpath dir specified"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    exit $SMF_EXIT_ERR_CONFIG
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncfi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncif smf_is_nonglobalzone; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "$0: not supported in a local zone"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    exit $SMF_EXIT_ERR_CONFIG
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncfi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_logindev()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # Comment out audio and usb device entries in /etc/logindevperm.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ -f $LOGINDEVPERM ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        line="\/dev\/console    0600    \/dev\/sound\/\*"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        cp /tmp/tmp.$$ $LOGINDEVPERM
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        line="\/dev\/console    0600    \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        cp /tmp/tmp.$$ $LOGINDEVPERM
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        rm -f /tmp/tmp.$$
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_otherservices()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # Setup dependent services
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        /usr/sbin/svcadm enable -s svc:/network/tnd:default
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        /usr/sbin/svccfg -s svc:/application/x11/x11-server \
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            setprop options/tcp_listen = true
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync__ENABLE_OTHERS
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_bsmconv()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # Run bsmconv so audit and device allocation is enabled by
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # default with Trusted Extensions.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        BSMDIR=""
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    else
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        BSMDIR=$ROOT_PATH
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "Running bsmconv ..."
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        $ROOT_PATH/etc/security/bsmconv $ROOT_PATH
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_nscd()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync# For Trusted Extensions, make nscd service transient in local zones.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsynccat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ `/sbin/zonename` != "global" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        nscd="svc:/system/name-service-cache"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        duration=""
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if /bin/svcprop -q -c -p startd/duration $nscd ; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            duration=`/bin/svcprop -c -p startd/duration $nscd`
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if [ "$duration" != "transient" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /usr/sbin/svccfg -s $nscd addpg startd framework
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /usr/sbin/svccfg -s $nscd setprop \
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync                startd/duration = astring: transient
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /usr/sbin/svcadm refresh $nscd
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync_DEL_LOCAL_NSCD
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_bootupd()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /sbin/bootadm update-archive
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        else
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            /sbin/bootadm update-archive -R $ROOT_PATH
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdo_commonstart()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "$0: Updating $ROOT_PATH/etc/system..."
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ ! -f ${ROOT_PATH}/etc/system ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        touch ${ROOT_PATH}/etc/system
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
4d10b27f3115f8fcd58864142163726d6214a752vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # Set sys_labeling in etc/system
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    echo "set sys_labeling=1" >> /tmp/etc.system.$$
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ $? -ne 0 ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        exit $SMF_EXIT_ERR_FATAL
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    do_bootupd
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # Setup dependent services
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    do_otherservices
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    do_logindev
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    do_bsmconv
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    do_nscd
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncdaemon_start()
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync{
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # If a labeld door exists, check for a labeld process and exit
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    # if the daemon is already running.
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ -r /var/tsol/doors/labeld ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            echo "$0: labeld is already running"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            exit $SMF_EXIT_ERR_FATAL
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    /usr/bin/rm -f /var/tsol/doors/labeld
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    /usr/lib/labeld
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync}
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsyncPATH=/usr/sbin:/usr/bin; export PATH
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsynccase "$1" in
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync'start')
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync    if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        # native
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if [ -z "$SMF_FMRI" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            echo "$0: this script can only be invoked by smf(5)"
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            exit $SMF_EXIT_ERR_NOSMF
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        fi
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync        if [ "$tx_enabled" = "false" ]; then
e0e0c19eefceaf5d4ec40f9466b58a771f50e799vboxsync            # A sign of trying temporary enablement...no-no
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync            echo "$0: Temporarily enabling Trusted Extensions is not allowed."
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync            exit $SMF_EXIT_ERR_CONFIG
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync        fi
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync        if (smf_is_system_labeled); then
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync            daemon_start
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync            exit $SMF_EXIT_OK
f22cba796fd7499bf85058671a1af7cbe491c622vboxsync        fi
7e032664d31552364e83b411950d6e7c96b0b880vboxsync
7e032664d31552364e83b411950d6e7c96b0b880vboxsync        # Make changes to enable Trusted Extensions
        grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo "$0: already enabled. Exiting."
            exit $SMF_EXIT_OK
        fi

        if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
            echo "$0: Must remove zones before enabling Trusted Extensions."
            exit $SMF_EXIT_ERR_CONFIG
        fi

        do_commonstart

        # start daemon proccess so our service doesn't go into
        # maintenance state
        daemon_start

        echo "$0: Started.  Must reboot and configure Trusted Extensions."
    else
        # Support jumpstart etc

        # Make changes to enable Trusted Extensions
        grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo "$0: already enabled. Exiting."
            exit $SMF_EXIT_OK
        fi

        # Setup dependent services
        cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
            /usr/sbin/svcadm enable -s svc:/system/labeld:default
__TRUSTED_ENABLE

        do_commonstart
        echo "$0: Started.  Must configure Trusted Extensions before booting."
    fi
    ;;

'stop')
    tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
    if [ "$tx_enabled" = "true" ]; then
        /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
        exit $SMF_EXIT_OK
    fi

    if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
        echo "$0: Must remove zones before disabling Trusted Extensions."
        exit $SMF_EXIT_ERR_CONFIG
    fi

    # Stop Trusted services.
    /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
    /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null

    # Uncomment audio and usb device entries in /etc/logindevperm.
    LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
    if [ -f $LOGINDEVPERM ]; then
        line="\/dev\/console    0600    \/dev\/sound\/\*"
        sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
        cp /tmp/tmp.$$ $LOGINDEVPERM
        line="\/dev\/console    0600    \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
        sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
        cp /tmp/tmp.$$ $LOGINDEVPERM
        rm -f /tmp/tmp.$$
    fi

    # Remove sys_labeling from /etc/system
    grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
    mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
    grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
    if [ $? -eq 0 ]; then
            echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
        exit $SMF_EXIT_ERR_FATAL
    fi

    do_bootupd

    /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
    echo "$0: Stopped.  Will take effect at next boot."
    ;;

*)
    echo "Usage: $0 { start | stop }"
    exit 1
    ;;
esac

exit $SMF_EXIT_OK