1f875b4ebSrica#!/sbin/sh 2f875b4ebSrica# 3f875b4ebSrica# CDDL HEADER START 4f875b4ebSrica# 5f875b4ebSrica# The contents of this file are subject to the terms of the 6f875b4ebSrica# Common Development and Distribution License (the "License"). 7f875b4ebSrica# You may not use this file except in compliance with the License. 8f875b4ebSrica# 9f875b4ebSrica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10f875b4ebSrica# or http://www.opensolaris.org/os/licensing. 11f875b4ebSrica# See the License for the specific language governing permissions 12f875b4ebSrica# and limitations under the License. 13f875b4ebSrica# 14f875b4ebSrica# When distributing Covered Code, include this CDDL HEADER in each 15f875b4ebSrica# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16f875b4ebSrica# If applicable, add the following below this CDDL HEADER, with the 17f875b4ebSrica# fields enclosed by brackets "[]" replaced with your own identifying 18f875b4ebSrica# information: Portions Copyright [yyyy] [name of copyright owner] 19f875b4ebSrica# 20f875b4ebSrica# CDDL HEADER END 21f875b4ebSrica# 22ec530482SRic Aleshire# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23f875b4ebSrica# Use is subject to license terms. 24f875b4ebSrica# 25f875b4ebSrica 26f875b4ebSrica. /lib/svc/share/smf_include.sh 27f875b4ebSrica 28f875b4ebSricaROOT_PATH="" 29f875b4ebSricaif [ $# -gt 1 ]; then 30f875b4ebSrica if [ $# -ne 3 -o "$2" != "-R" ]; then 31f875b4ebSrica echo "$0: invalid syntax" 32f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 33f875b4ebSrica fi 34f875b4ebSrica if [ "$3" != "/" ]; then 35f875b4ebSrica ROOT_PATH=$3 36f875b4ebSrica fi 37f875b4ebSricafi 38f875b4ebSricaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then 39f875b4ebSrica echo "$0: invalid syntax: -R allowed for start method only" 40f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 41f875b4ebSricafi 42f875b4ebSricaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then 43f875b4ebSrica echo "$0: invalid -R rootpath dir specified" 44f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 45f875b4ebSricafi 46f875b4ebSrica 47f875b4ebSricaif smf_is_nonglobalzone; then 48f875b4ebSrica echo "$0: not supported in a local zone" 49f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 50f875b4ebSricafi 51f875b4ebSrica 52583b61f6Sajrewrite_logindev() 53583b61f6Saj{ 54583b61f6Saj from="$1" 55583b61f6Saj to="$2" 56583b61f6Saj # Comment out audio, usb, removable-media, and hotpluggable device 57583b61f6Saj # entries in /etc/logindevperm. 58583b61f6Saj LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 59583b61f6Saj if [ ! -f $LOGINDEVPERM ]; then 60583b61f6Saj return 61583b61f6Saj fi 62583b61f6Saj for line in \ 6336d41b68SNathan Bush "/dev/sound/" \ 6436d41b68SNathan Bush "/dev/removable-media/" \ 6536d41b68SNathan Bush "/dev/hotpluggable/" \ 6636d41b68SNathan Bush "/dev/usb/\[0-9a-f\]" \ 67583b61f6Saj ; do 6836d41b68SNathan Bush sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \ 6936d41b68SNathan Bush $LOGINDEVPERM > /tmp/tmp.$$ 70583b61f6Saj cp /tmp/tmp.$$ $LOGINDEVPERM 71583b61f6Saj done 72583b61f6Saj rm -f /tmp/tmp.$$ 73583b61f6Saj} 74583b61f6Saj 75f875b4ebSricado_logindev() 76f875b4ebSrica{ 77583b61f6Saj rewrite_logindev "" "#" 78f875b4ebSrica} 79f875b4ebSrica 80f875b4ebSricado_otherservices() 81f875b4ebSrica{ 82f875b4ebSrica # Setup dependent services 83f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS 84f875b4ebSrica /usr/sbin/svcadm enable -s svc:/network/tnd:default 85f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default 86f875b4ebSrica /usr/sbin/svcadm enable svc:/network/rpc/rstat:default 87f875b4ebSrica__ENABLE_OTHERS 88f875b4ebSrica 89f875b4ebSrica} 90f875b4ebSrica 91f875b4ebSricado_bsmconv() 92f875b4ebSrica{ 93*005d3febSMarek Pospisil # Run bsmconv so device allocation is enabled by 94f875b4ebSrica # default with Trusted Extensions. 95f875b4ebSrica if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then 96f875b4ebSrica BSMDIR="" 97f875b4ebSrica else 98f875b4ebSrica BSMDIR=$ROOT_PATH 99f875b4ebSrica fi 100f875b4ebSrica echo "Running bsmconv ..." 101f875b4ebSrica echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \ 102f875b4ebSrica $ROOT_PATH/etc/security/bsmconv $ROOT_PATH 103*005d3febSMarek Pospisil # Run auditd so auditing is enabled by default 104*005d3febSMarek Pospisil # with Trusted Extensions. 105*005d3febSMarek Pospisil if [ "$BSMDIR" = "" ]; then 106*005d3febSMarek Pospisil echo "Starting auditd ..." 107*005d3febSMarek Pospisil /usr/sbin/audit -s 108*005d3febSMarek Pospisil else 109*005d3febSMarek Pospisil cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD 110*005d3febSMarek Pospisil /usr/sbin/audit -s 111*005d3febSMarek Pospisil_ENABLE_AUDITD 112*005d3febSMarek Pospisil fi 113f875b4ebSrica} 114f875b4ebSrica 115f875b4ebSricado_nscd() 116f875b4ebSrica{ 117f875b4ebSrica# For Trusted Extensions, make nscd service transient in local zones. 118f875b4ebSricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD 119f875b4ebSrica if [ `/sbin/zonename` != "global" ]; then 120f875b4ebSrica nscd="svc:/system/name-service-cache" 121f875b4ebSrica duration="" 122f875b4ebSrica if /bin/svcprop -q -c -p startd/duration $nscd ; then 123f875b4ebSrica duration=`/bin/svcprop -c -p startd/duration $nscd` 124f875b4ebSrica fi 125f875b4ebSrica if [ "$duration" != "transient" ]; then 126f875b4ebSrica /usr/sbin/svccfg -s $nscd addpg startd framework 127f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop \ 128f875b4ebSrica startd/duration = astring: transient 129f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop stop/exec = :true 130f875b4ebSrica /usr/sbin/svcadm refresh $nscd 131f875b4ebSrica fi 132f875b4ebSrica fi 133f875b4ebSrica_DEL_LOCAL_NSCD 134f875b4ebSrica} 135f875b4ebSrica 136f875b4ebSricado_bootupd() 137f875b4ebSrica{ 138f875b4ebSrica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then 139f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 140f875b4ebSrica /sbin/bootadm update-archive 141f875b4ebSrica else 142f875b4ebSrica /sbin/bootadm update-archive -R $ROOT_PATH 143f875b4ebSrica fi 144f875b4ebSrica fi 145f875b4ebSrica} 146f875b4ebSrica 1478700009eSricasetup_tx_changes(){ 1488700009eSrica# 1498700009eSrica# No comments or blanks lines allowed in entries below 1508700009eSrica# 1518700009eSricacat > ${TX_ENTRIES} << EOF 1528700009eSricadtlogin account requisite pam_roles.so.1 1538700009eSricadtlogin account required pam_unix_account.so.1 1548700009eSricadtsession account requisite pam_roles.so.1 1558700009eSricadtsession account required pam_unix_account.so.1 1568700009eSricagdm account requisite pam_roles.so.1 1578700009eSricagdm account required pam_unix_account.so.1 1588700009eSricaxscreensaver account requisite pam_roles.so.1 1598700009eSricaxscreensaver account required pam_unix_account.so.1 1608700009eSricapasswd account requisite pam_roles.so.1 1618700009eSricapasswd account required pam_unix_account.so.1 1628700009eSricadtpasswd account requisite pam_roles.so.1 1638700009eSricadtpasswd account required pam_unix_account.so.1 164c64380fdSricatsoljds-tstripe account requisite pam_roles.so.1 165c64380fdSricatsoljds-tstripe account required pam_unix_account.so.1 1668700009eSricaother account required pam_tsol_account.so.1 1678700009eSricaEOF 1688700009eSrica} 1698700009eSrica 1708700009eSricado_addpam() 1718700009eSrica{ 1728700009eSrica PAM_TMP=/tmp/pam_conf.$$ 1738700009eSrica TX_ENTRIES=$PAM_TMP/sct.$$ 1748700009eSrica PAM_DEST=$ROOT_PATH/etc/pam.conf 1758700009eSrica 1768700009eSrica mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 1778700009eSrica setup_tx_changes 1788700009eSrica 1798700009eSrica # verify that pam.conf file exists... 1808700009eSrica if [ ! -f ${PAM_DEST} ]; then 1818700009eSrica echo "$0: ${PAM_DEST} not found; aborting" 1828700009eSrica exit $SMF_EXIT_ERR_FATAL 1838700009eSrica fi 1848700009eSrica 1858700009eSrica # 1868700009eSrica # Update pam.conf to append Trusted Extensions entries if not 1878700009eSrica # already present. 1888700009eSrica # 1898700009eSrica rm -f /tmp/pamconf.$$ 1908700009eSrica while read e1 e2 e3 e4 e5 1918700009eSrica do 1928700009eSrica # If this is the 'other' entry, add it unless it already 1938700009eSrica # exists. 1948700009eSrica if [ $e1 = "other" ]; then 1958700009eSrica grep \ 1968700009eSrica"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 1978700009eSrica $PAM_DEST >/dev/null 2>&1 1988700009eSrica if [ $? = 1 ] ; then 1998700009eSrica # Doesn't exist, enter into pam.conf 2008700009eSrica echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 2018700009eSrica >> /tmp/pamconf.$$ 2028700009eSrica fi 2038700009eSrica else 2048700009eSrica # Add other entries unless they already have a 2058700009eSrica # stack of their own. 2068700009eSrica grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ 2078700009eSrica $PAM_DEST >/dev/null 2>&1 2088700009eSrica if [ $? = 1 ] ; then 2098700009eSrica echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 2108700009eSrica >> /tmp/pamconf.$$ 2118700009eSrica fi 2128700009eSrica fi 2138700009eSrica done < ${TX_ENTRIES} 2148700009eSrica # Append TX lines if any were not present already. 2158700009eSrica if [ -f /tmp/pamconf.$$ ] ; then 2168700009eSrica echo "# Entries for Trusted Extensions" >> $PAM_DEST 2178700009eSrica cat /tmp/pamconf.$$ >> $PAM_DEST 2188700009eSrica echo "$0: updating $PAM_DEST entries for Trusted Extensions;" 2198700009eSrica echo "$0: please examine/update any new entries" 2208700009eSrica rm -f /tmp/pamconf.$$ 2218700009eSrica fi 2228700009eSrica 2238700009eSrica rm -rf $PAM_TMP 2248700009eSrica} 2258700009eSrica 2268700009eSricado_pamremove() 2278700009eSrica{ 2288700009eSrica PAM_TMP=/tmp/pam_conf.$$ 2298700009eSrica TX_ENTRIES=$PAM_TMP/sct.$$ 2308700009eSrica PAM_DEST=$ROOT_PATH/etc/pam.conf 2318700009eSrica TMPFILE=$PAM_TMP/pam.conf 2328700009eSrica 2338700009eSrica mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 2348700009eSrica 2358700009eSrica # verify that pam.conf file exists... 2368700009eSrica if [ ! -f ${PAM_DEST} ]; then 2378700009eSrica echo "$0: ${PAM_DEST} not found; aborting" 2388700009eSrica exit $SMF_EXIT_ERR_FATAL 2398700009eSrica fi 2408700009eSrica 2418700009eSrica 2428700009eSrica grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1 2438700009eSrica if [ $? -ne 0 ]; then 2448700009eSrica echo "$0: pam_tsol_account module not present," 2458700009eSrica echo "$0: No changes were made to $PAM_DEST." 2468700009eSrica return 2478700009eSrica fi 2488700009eSrica 2498700009eSrica grep -v pam_tsol_account $PAM_DEST > $TMPFILE 2508700009eSrica echo "$0: $PAM_DEST "tsol" entries removed" 2518700009eSrica cp $TMPFILE $PAM_DEST 2528700009eSrica 2538700009eSrica rm -rf $PAM_TMP 2548700009eSrica} 2558700009eSrica 256f875b4ebSricado_commonstart() 257f875b4ebSrica{ 258f875b4ebSrica echo "$0: Updating $ROOT_PATH/etc/system..." 259f875b4ebSrica if [ ! -f ${ROOT_PATH}/etc/system ]; then 260f875b4ebSrica touch ${ROOT_PATH}/etc/system 261f875b4ebSrica fi 262f875b4ebSrica 263f875b4ebSrica # Set sys_labeling in etc/system 264f875b4ebSrica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 265f875b4ebSrica echo "set sys_labeling=1" >> /tmp/etc.system.$$ 266f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 267f875b4ebSrica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 268f875b4ebSrica if [ $? -ne 0 ]; then 269f875b4ebSrica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system" 270f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 271f875b4ebSrica fi 272f875b4ebSrica 273f875b4ebSrica # Setup dependent services 274f875b4ebSrica do_otherservices 275f875b4ebSrica 276f875b4ebSrica do_logindev 277f875b4ebSrica do_bsmconv 278f875b4ebSrica do_nscd 2798700009eSrica do_addpam 2808700009eSrica 2818700009eSrica do_bootupd 282f875b4ebSrica} 283f875b4ebSrica 284e9958a6cSjpkdo_servicetag_register() 285e9958a6cSjpk{ 286e9958a6cSjpk ROOTDIR=$1 287e9958a6cSjpk SOL_ARCH=`/sbin/uname -p` 288e9958a6cSjpk SOL_VERS=`/sbin/uname -r` 289e9958a6cSjpk TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93" 290e9958a6cSjpk 291e9958a6cSjpk if [ ! -x /usr/bin/stclient ]; then 292e9958a6cSjpk return 293e9958a6cSjpk fi 294e9958a6cSjpk 295e9958a6cSjpk # if already registered then do nothing more here 296e9958a6cSjpk inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 297e9958a6cSjpk if [ -n "$inst" ]; then 298e9958a6cSjpk # this instance id was saved in a SMF property 299e9958a6cSjpk /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1 300e9958a6cSjpk if [ $? = 0 ]; then 301e9958a6cSjpk # matching service tag found, so do nothing 302e9958a6cSjpk return 303e9958a6cSjpk else 304e9958a6cSjpk # no match for instance id saved in SMF property 305e9958a6cSjpk /usr/sbin/svccfg -s $SMF_FMRI delprop \ 306e9958a6cSjpk labeld/svctag_inst 307e9958a6cSjpk /usr/sbin/svcadm refresh $SMF_FMRI 308e9958a6cSjpk fi 309e9958a6cSjpk fi 310e9958a6cSjpk 311e9958a6cSjpk 312e9958a6cSjpk # fall through: no service tag, or does not match saved instance id 313e9958a6cSjpk 314e9958a6cSjpk # determine the urn of the parent (Solaris) 315e9958a6cSjpk SOL_PROD_URN="" 316e9958a6cSjpk case $SOL_VERS in 317e9958a6cSjpk 5.11) 318e9958a6cSjpk SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93" 319e9958a6cSjpk ;; 320e9958a6cSjpk 5.10) 321e9958a6cSjpk SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113" 322e9958a6cSjpk ;; 323e9958a6cSjpk esac 324e9958a6cSjpk 325e9958a6cSjpk # add the service tag 326e9958a6cSjpk RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \ 327e9958a6cSjpk -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \ 328e9958a6cSjpk -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR` 329e9958a6cSjpk if [ $? = 0 ]; then 330e9958a6cSjpk # save instance id in SMF property 331e9958a6cSjpk inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'` 332e9958a6cSjpk /usr/sbin/svccfg -s $SMF_FMRI setprop \ 333e9958a6cSjpk labeld/svctag_inst = astring: "$inst" 334e9958a6cSjpk /usr/sbin/svcadm refresh $SMF_FMRI 335e9958a6cSjpk fi 336e9958a6cSjpk} 337e9958a6cSjpk 338e9958a6cSjpkdo_servicetag_delete() 339e9958a6cSjpk{ 340e9958a6cSjpk if [ ! -x /usr/bin/stclient ]; then 341e9958a6cSjpk return 342e9958a6cSjpk fi 343e9958a6cSjpk 344e9958a6cSjpk inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 345e9958a6cSjpk 346e9958a6cSjpk if [ -n "$inst" ]; then 347e9958a6cSjpk # delete service tag 348e9958a6cSjpk /usr/bin/stclient -d -i $inst 349e9958a6cSjpk # delete saved instance id 350e9958a6cSjpk /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst 351e9958a6cSjpk /usr/sbin/svcadm refresh $SMF_FMRI 352e9958a6cSjpk fi 353e9958a6cSjpk} 354e9958a6cSjpk 355f875b4ebSrica 356f875b4ebSricadaemon_start() 357f875b4ebSrica{ 358f875b4ebSrica # If a labeld door exists, check for a labeld process and exit 359f875b4ebSrica # if the daemon is already running. 360f875b4ebSrica if [ -r /var/tsol/doors/labeld ]; then 361f875b4ebSrica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then 362f875b4ebSrica echo "$0: labeld is already running" 363f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 364f875b4ebSrica fi 365f875b4ebSrica fi 366f875b4ebSrica /usr/bin/rm -f /var/tsol/doors/labeld 367f875b4ebSrica /usr/lib/labeld 368f875b4ebSrica} 369f875b4ebSrica 370f875b4ebSricaPATH=/usr/sbin:/usr/bin; export PATH 371f875b4ebSrica 372f875b4ebSricacase "$1" in 373f875b4ebSrica'start') 374f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 375f875b4ebSrica # native 376f875b4ebSrica 377f875b4ebSrica if [ -z "$SMF_FMRI" ]; then 378f875b4ebSrica echo "$0: this script can only be invoked by smf(5)" 379f875b4ebSrica exit $SMF_EXIT_ERR_NOSMF 380f875b4ebSrica fi 381f875b4ebSrica 382f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 383f875b4ebSrica if [ "$tx_enabled" = "false" ]; then 384f875b4ebSrica # A sign of trying temporary enablement...no-no 385f875b4ebSrica echo "$0: Temporarily enabling Trusted Extensions is not allowed." 386f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 387f875b4ebSrica fi 388f875b4ebSrica 389f875b4ebSrica if (smf_is_system_labeled); then 39015a2c753Sjpk do_servicetag_register / 391f875b4ebSrica daemon_start 392f875b4ebSrica exit $SMF_EXIT_OK 393f875b4ebSrica fi 394f875b4ebSrica 395f875b4ebSrica # Make changes to enable Trusted Extensions 396f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 397f875b4ebSrica if [ $? -eq 0 ]; then 398f875b4ebSrica echo "$0: already enabled. Exiting." 399f875b4ebSrica exit $SMF_EXIT_OK 400f875b4ebSrica fi 401f875b4ebSrica 402f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 403f875b4ebSrica echo "$0: Must remove zones before enabling Trusted Extensions." 404f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 405f875b4ebSrica fi 406f875b4ebSrica 407f875b4ebSrica do_commonstart 408f875b4ebSrica 409e9958a6cSjpk do_servicetag_register / 410e9958a6cSjpk 411f875b4ebSrica # start daemon proccess so our service doesn't go into 412f875b4ebSrica # maintenance state 413f875b4ebSrica daemon_start 414f875b4ebSrica 415f875b4ebSrica echo "$0: Started. Must reboot and configure Trusted Extensions." 416f875b4ebSrica else 417f875b4ebSrica # Support jumpstart etc 418f875b4ebSrica 419f875b4ebSrica # Make changes to enable Trusted Extensions 420f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 421f875b4ebSrica if [ $? -eq 0 ]; then 422f875b4ebSrica echo "$0: already enabled. Exiting." 423f875b4ebSrica exit $SMF_EXIT_OK 424f875b4ebSrica fi 425f875b4ebSrica 426f875b4ebSrica # Setup dependent services 427f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE 428f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/labeld:default 429f875b4ebSrica__TRUSTED_ENABLE 430f875b4ebSrica 431f875b4ebSrica do_commonstart 432e9958a6cSjpk do_servicetag_register $ROOT_PATH 433f875b4ebSrica echo "$0: Started. Must configure Trusted Extensions before booting." 434f875b4ebSrica fi 435f875b4ebSrica ;; 436f875b4ebSrica 437f875b4ebSrica'stop') 438f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 439f875b4ebSrica if [ "$tx_enabled" = "true" ]; then 440f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 441f875b4ebSrica exit $SMF_EXIT_OK 442f875b4ebSrica fi 443f875b4ebSrica 444f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 445f875b4ebSrica echo "$0: Must remove zones before disabling Trusted Extensions." 446f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 447f875b4ebSrica fi 448f875b4ebSrica 449f875b4ebSrica # Stop Trusted services. 450f875b4ebSrica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null 451f875b4ebSrica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null 452f875b4ebSrica 453583b61f6Saj # Uncomment audio, usb, removable-media, and hotpluggable device 454583b61f6Saj # entries in /etc/logindevperm. 455583b61f6Saj rewrite_logindev "#" "" 456f875b4ebSrica 457f875b4ebSrica # Remove sys_labeling from /etc/system 458f875b4ebSrica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 459f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 460f875b4ebSrica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1 461f875b4ebSrica if [ $? -eq 0 ]; then 462f875b4ebSrica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system" 463f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 464f875b4ebSrica fi 465f875b4ebSrica 4668700009eSrica do_pamremove 467e9958a6cSjpk do_servicetag_delete 4688700009eSrica 469f875b4ebSrica do_bootupd 470f875b4ebSrica 471f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 472f875b4ebSrica echo "$0: Stopped. Will take effect at next boot." 473f875b4ebSrica ;; 474f875b4ebSrica 475f875b4ebSrica*) 476f875b4ebSrica echo "Usage: $0 { start | stop }" 477f875b4ebSrica exit 1 478f875b4ebSrica ;; 479f875b4ebSricaesac 480f875b4ebSrica 481f875b4ebSricaexit $SMF_EXIT_OK 482f875b4ebSrica 483e9958a6cSjpk 484