xref: /titanic_50/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/policy.xml (revision 5033e0ced6ec7e35c5a686f180e3fa66088b9394) 
1e3320f40Smarkfen<?xml version="1.0"?>
2e3320f40Smarkfen<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
3e3320f40Smarkfen<!--
4*5033e0ceSMark Fenwick	Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
5e3320f40Smarkfen	Use is subject to license terms.
6e3320f40Smarkfen
7e3320f40Smarkfen CDDL HEADER START
8e3320f40Smarkfen
9e3320f40Smarkfen The contents of this file are subject to the terms of the
10e3320f40Smarkfen Common Development and Distribution License (the "License").
11e3320f40Smarkfen You may not use this file except in compliance with the License.
12e3320f40Smarkfen
13e3320f40Smarkfen You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
14e3320f40Smarkfen or http://www.opensolaris.org/os/licensing.
15e3320f40Smarkfen See the License for the specific language governing permissions
16e3320f40Smarkfen and limitations under the License.
17e3320f40Smarkfen
18e3320f40Smarkfen When distributing Covered Code, include this CDDL HEADER in each
19e3320f40Smarkfen file and include the License file at usr/src/OPENSOLARIS.LICENSE.
20e3320f40Smarkfen If applicable, add the following below this CDDL HEADER, with the
21e3320f40Smarkfen fields enclosed by brackets "[]" replaced with your own identifying
22e3320f40Smarkfen information: Portions Copyright [yyyy] [name of copyright owner]
23e3320f40Smarkfen
24e3320f40Smarkfen CDDL HEADER END
25e3320f40Smarkfen
26e3320f40Smarkfen	NOTE:  This service manifest is not editable; its contents will
27e3320f40Smarkfen	be overwritten by package or patch operations, including
28e3320f40Smarkfen	operating system upgrade.  Make customizations in a different
29e3320f40Smarkfen	file.
30e3320f40Smarkfen-->
31e3320f40Smarkfen<service_bundle type='manifest' name='SUNWcsr:policy'>
32e3320f40Smarkfen
33e3320f40Smarkfen<service
34e3320f40Smarkfen	name='network/ipsec/policy'
35e3320f40Smarkfen	type='service'
36e3320f40Smarkfen	version='1'>
37e3320f40Smarkfen
38e3320f40Smarkfen	<!-- The 'policy' service is delivered enabled for backwards
39e3320f40Smarkfen	compatability with existing adminstrative proceedure. -->
40e3320f40Smarkfen
41e3320f40Smarkfen	<create_default_instance enabled='true' />
42e3320f40Smarkfen
43e3320f40Smarkfen	<single_instance />
44e3320f40Smarkfen
45e3320f40Smarkfen	<!-- Read/Write access to /var/run required for lock files -->
46e3320f40Smarkfen	<dependency
47e3320f40Smarkfen		name='filesystem'
48e3320f40Smarkfen		grouping='require_all'
49e3320f40Smarkfen		restart_on='none'
50e3320f40Smarkfen		type='service'>
51e3320f40Smarkfen		<service_fmri
52e3320f40Smarkfen			value='svc:/system/filesystem/minimal'
53e3320f40Smarkfen		/>
54e3320f40Smarkfen	</dependency>
55e3320f40Smarkfen	<!-- Kernel needs to know supported IPsec algorithms -->
56e3320f40Smarkfen	<dependency
57e3320f40Smarkfen		name='algorithms'
58e3320f40Smarkfen		grouping='require_all'
59e3320f40Smarkfen		restart_on='none'
60e3320f40Smarkfen		type='service'>
61e3320f40Smarkfen		<service_fmri
62e3320f40Smarkfen			value='svc:/network/ipsec/ipsecalgs'
63e3320f40Smarkfen		/>
64e3320f40Smarkfen	</dependency>
65e3320f40Smarkfen	<!-- General networking services should not start untill IPsec
66e3320f40Smarkfen	policy has been configured. -->
67e3320f40Smarkfen	<dependent
68e3320f40Smarkfen		name='policy-network'
69e3320f40Smarkfen		grouping='optional_all'
70e3320f40Smarkfen		restart_on='none'>
71e3320f40Smarkfen		<service_fmri
72e3320f40Smarkfen			value='svc:/milestone/network'
73e3320f40Smarkfen		/>
74e3320f40Smarkfen	</dependent>
75e3320f40Smarkfen
76e3320f40Smarkfen	<exec_method
77e3320f40Smarkfen		type='method'
78e3320f40Smarkfen		name='start'
79e3320f40Smarkfen		exec='/usr/sbin/ipsecconf -q -a %{config/config_file}'
80e3320f40Smarkfen		timeout_seconds='60'
81e3320f40Smarkfen	/>
82e3320f40Smarkfen
83e3320f40Smarkfen	<exec_method
84e3320f40Smarkfen		type='method'
85e3320f40Smarkfen		name='refresh'
86*5033e0ceSMark Fenwick		exec='/usr/sbin/ipsecconf -q -F -a %{config/config_file}'
87e3320f40Smarkfen		timeout_seconds='60'
88e3320f40Smarkfen	/>
89e3320f40Smarkfen
90e3320f40Smarkfen	<exec_method
91e3320f40Smarkfen		type='method'
92e3320f40Smarkfen		name='stop'
93e3320f40Smarkfen		exec='/usr/sbin/ipsecconf -F'
94e3320f40Smarkfen		timeout_seconds='60'
95e3320f40Smarkfen	/>
96e3320f40Smarkfen
97e3320f40Smarkfen	<property_group name='general' type='framework'>
98e3320f40Smarkfen		<!-- A user with this authorization can:
99e3320f40Smarkfen
100e3320f40Smarkfen			svcadm restart policy
101e3320f40Smarkfen			svcadm refresh policy
102e3320f40Smarkfen			svcadm mark <state> policy
103e3320f40Smarkfen			svcadm clear policy
104e3320f40Smarkfen
105e3320f40Smarkfen		see auths(1) and user_attr(4)-->
106e3320f40Smarkfen
107e3320f40Smarkfen		<propval
108e3320f40Smarkfen			name='action_authorization'
109e3320f40Smarkfen			type='astring'
110e3320f40Smarkfen			value='solaris.smf.manage.ipsec'
111e3320f40Smarkfen		/>
112e3320f40Smarkfen		<!-- A user with this authorization can:
113e3320f40Smarkfen			svcadm disable policy
114e3320f40Smarkfen			svcadm enable policy
115e3320f40Smarkfen
116e3320f40Smarkfen		see auths(1) and user_attr(4)-->
117e3320f40Smarkfen
118e3320f40Smarkfen		<propval
119e3320f40Smarkfen			name='value_authorization'
120e3320f40Smarkfen			type='astring'
121e3320f40Smarkfen			value='solaris.smf.manage.ipsec'
122e3320f40Smarkfen		/>
123e3320f40Smarkfen	</property_group>
124e3320f40Smarkfen
125e3320f40Smarkfen	<!-- The properties defined below can be changed by a user
126e3320f40Smarkfen	with 'solaris.smf.value.ipsec' authorization using the
127e3320f40Smarkfen	svccfg(1M) command.
128e3320f40Smarkfen
129e3320f40Smarkfen	EG:
130e3320f40Smarkfen
131e3320f40Smarkfen	svccfg -s ipsec/policy setprop config/config_file = /new/config_file
132e3320f40Smarkfen
133e3320f40Smarkfen	The new configurations will be read on service refresh:
134e3320f40Smarkfen
135e3320f40Smarkfen	svcadm refresh ipsec/policy
136e3320f40Smarkfen
137e3320f40Smarkfen	Note: svcadm stop/start does not use the new property
138e3320f40Smarkfen	until after the service has been refreshed.
139e3320f40Smarkfen
140e3320f40Smarkfen	***Dont edit this manifest to change these properties! -->
141e3320f40Smarkfen
142e3320f40Smarkfen	<property_group name='config' type='application'>
143e3320f40Smarkfen		<propval
144e3320f40Smarkfen			name='config_file'
145e3320f40Smarkfen			type='astring'
146e3320f40Smarkfen			value='/etc/inet/ipsecinit.conf'
147e3320f40Smarkfen		/>
148e3320f40Smarkfen		<propval
149e3320f40Smarkfen			name='value_authorization'
150e3320f40Smarkfen			type='astring'
151e3320f40Smarkfen			value='solaris.smf.value.ipsec'
152e3320f40Smarkfen		/>
153e3320f40Smarkfen	</property_group>
154e3320f40Smarkfen
155e3320f40Smarkfen	<property_group name='startd' type='framework'>
156e3320f40Smarkfen		<propval
157e3320f40Smarkfen			name='duration'
158e3320f40Smarkfen			type='astring'
159e3320f40Smarkfen			value='transient'
160e3320f40Smarkfen		/>
161e3320f40Smarkfen	</property_group>
162e3320f40Smarkfen
163e3320f40Smarkfen	<stability value='Unstable' />
164e3320f40Smarkfen
165e3320f40Smarkfen	<template>
166e3320f40Smarkfen		<common_name>
167e3320f40Smarkfen			<loctext xml:lang='C'>
168e3320f40Smarkfen				IPsec policy initialization
169e3320f40Smarkfen			</loctext>
170e3320f40Smarkfen		</common_name>
171e3320f40Smarkfen		<description>
172e3320f40Smarkfen			<loctext xml:lang='C'>
173e3320f40Smarkfen				IPsec policy configuration involves
174e3320f40Smarkfen				loading rules into the kernel Security
175e3320f40Smarkfen				Policy Database (SPD)
176e3320f40Smarkfen			</loctext>
177e3320f40Smarkfen		</description>
178e3320f40Smarkfen		<documentation>
179e3320f40Smarkfen			<manpage title='ipsecconf' section='1M'
180e3320f40Smarkfen				manpath='/usr/share/man' />
181e3320f40Smarkfen		</documentation>
182e3320f40Smarkfen	</template>
183e3320f40Smarkfen</service>
184e3320f40Smarkfen</service_bundle>
185