xref: /titanic_52/usr/src/cmd/tsol/labeld/svc-labeld (revision 269f47de02761bab3b7b28e2007a2bac34f629cc) 
1f875b4ebSrica#!/sbin/sh
2f875b4ebSrica#
3f875b4ebSrica# CDDL HEADER START
4f875b4ebSrica#
5f875b4ebSrica# The contents of this file are subject to the terms of the
6f875b4ebSrica# Common Development and Distribution License (the "License").
7f875b4ebSrica# You may not use this file except in compliance with the License.
8f875b4ebSrica#
9f875b4ebSrica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10f875b4ebSrica# or http://www.opensolaris.org/os/licensing.
11f875b4ebSrica# See the License for the specific language governing permissions
12f875b4ebSrica# and limitations under the License.
13f875b4ebSrica#
14f875b4ebSrica# When distributing Covered Code, include this CDDL HEADER in each
15f875b4ebSrica# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16f875b4ebSrica# If applicable, add the following below this CDDL HEADER, with the
17f875b4ebSrica# fields enclosed by brackets "[]" replaced with your own identifying
18f875b4ebSrica# information: Portions Copyright [yyyy] [name of copyright owner]
19f875b4ebSrica#
20f875b4ebSrica# CDDL HEADER END
21f875b4ebSrica#
22*269f47deSThuy Fettig# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23f875b4ebSrica#
24f875b4ebSrica
25f875b4ebSrica. /lib/svc/share/smf_include.sh
26f875b4ebSrica
27f875b4ebSricaROOT_PATH=""
28f875b4ebSricaif [ $# -gt 1 ]; then
29f875b4ebSrica	if [ $# -ne 3 -o "$2" != "-R" ]; then
30f875b4ebSrica		echo "$0: invalid syntax"
31f875b4ebSrica		exit $SMF_EXIT_ERR_CONFIG
32f875b4ebSrica	fi
33f875b4ebSrica	if [ "$3" != "/" ]; then
34f875b4ebSrica		ROOT_PATH=$3
35f875b4ebSrica	fi
36f875b4ebSricafi
37f875b4ebSricaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
38f875b4ebSrica	echo "$0: invalid syntax: -R allowed for start method only"
39f875b4ebSrica	exit $SMF_EXIT_ERR_CONFIG
40f875b4ebSricafi
41f875b4ebSricaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
42f875b4ebSrica	echo "$0: invalid -R rootpath dir specified"
43f875b4ebSrica	exit $SMF_EXIT_ERR_CONFIG
44f875b4ebSricafi
45f875b4ebSrica
46f875b4ebSricaif smf_is_nonglobalzone; then
47f875b4ebSrica	echo "$0: not supported in a local zone"
48f875b4ebSrica	exit $SMF_EXIT_ERR_CONFIG
49f875b4ebSricafi
50f875b4ebSrica
51583b61f6Sajrewrite_logindev()
52583b61f6Saj{
53583b61f6Saj	from="$1"
54583b61f6Saj	to="$2"
55583b61f6Saj	# Comment out audio, usb, removable-media, and hotpluggable device
56583b61f6Saj	# entries in /etc/logindevperm.
57583b61f6Saj	LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
58583b61f6Saj	if [ ! -f $LOGINDEVPERM ]; then
59583b61f6Saj		return
60583b61f6Saj	fi
61583b61f6Saj	for line in \
6236d41b68SNathan Bush		"/dev/sound/" \
6336d41b68SNathan Bush		"/dev/removable-media/" \
6436d41b68SNathan Bush		"/dev/hotpluggable/" \
6536d41b68SNathan Bush		"/dev/usb/\[0-9a-f\]" \
66583b61f6Saj			; do
6736d41b68SNathan Bush		sed -e "s!^$from\([^# 	]\{1,\}[ 	}\{1,\}[0-9]\{1,\}[ 	]\{1,\}\)$line!$to\1$line!" \
6836d41b68SNathan Bush		    $LOGINDEVPERM > /tmp/tmp.$$
69583b61f6Saj		cp /tmp/tmp.$$ $LOGINDEVPERM
70583b61f6Saj	done
71583b61f6Saj	rm -f /tmp/tmp.$$
72583b61f6Saj}
73583b61f6Saj
74f875b4ebSricado_logindev()
75f875b4ebSrica{
76583b61f6Saj	rewrite_logindev "" "#"
77f875b4ebSrica}
78f875b4ebSrica
79f875b4ebSricado_otherservices()
80f875b4ebSrica{
81f875b4ebSrica	# Setup dependent services
82f875b4ebSrica	cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
83f875b4ebSrica		/usr/sbin/svcadm enable -s svc:/network/tnd:default
84f875b4ebSrica		/usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
85f875b4ebSrica		/usr/sbin/svcadm enable svc:/network/rpc/rstat:default
86f875b4ebSrica__ENABLE_OTHERS
87f875b4ebSrica
88f875b4ebSrica}
89f875b4ebSrica
90*269f47deSThuy Fettigdo_audit_devalloc()
91f875b4ebSrica{
92*269f47deSThuy Fettig	# Ensure auditing and device allocation are enabled by
93f875b4ebSrica	# default with Trusted Extensions.
94f875b4ebSrica	if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
95*269f47deSThuy Fettig		/usr/sbin/svcadm enable -s svc:/system/device/allocate:default
96005d3febSMarek Pospisil		echo "Starting auditd ..."
97005d3febSMarek Pospisil		/usr/sbin/audit -s
98005d3febSMarek Pospisil	else
99005d3febSMarek Pospisil		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
100005d3febSMarek Pospisil			/usr/sbin/audit -s
101*269f47deSThuy Fettig			/usr/sbin/svcadm enable -s svc:/system/device/allocate:default
102005d3febSMarek Pospisil_ENABLE_AUDITD
103005d3febSMarek Pospisil	fi
104f875b4ebSrica}
105f875b4ebSrica
106f875b4ebSricado_nscd()
107f875b4ebSrica{
108f875b4ebSrica# For Trusted Extensions, make nscd service transient in local zones.
109f875b4ebSricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
110f875b4ebSrica	if [ `/sbin/zonename` != "global" ]; then
111f875b4ebSrica		nscd="svc:/system/name-service-cache"
112f875b4ebSrica		duration=""
113f875b4ebSrica		if /bin/svcprop -q -c -p startd/duration $nscd ; then
114f875b4ebSrica			duration=`/bin/svcprop -c -p startd/duration $nscd`
115f875b4ebSrica		fi
116f875b4ebSrica		if [ "$duration" != "transient" ]; then
117f875b4ebSrica			/usr/sbin/svccfg -s $nscd addpg startd framework
118f875b4ebSrica			/usr/sbin/svccfg -s $nscd setprop \
119f875b4ebSrica			    startd/duration = astring: transient
120f875b4ebSrica			/usr/sbin/svccfg -s $nscd setprop stop/exec = :true
121f875b4ebSrica			/usr/sbin/svcadm refresh $nscd
122f875b4ebSrica		fi
123f875b4ebSrica	fi
124f875b4ebSrica_DEL_LOCAL_NSCD
125f875b4ebSrica}
126f875b4ebSrica
127f875b4ebSricado_bootupd()
128f875b4ebSrica{
129f875b4ebSrica	if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
130f875b4ebSrica		if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
131f875b4ebSrica			/sbin/bootadm update-archive
132f875b4ebSrica		else
133f875b4ebSrica			/sbin/bootadm update-archive -R $ROOT_PATH
134f875b4ebSrica		fi
135f875b4ebSrica	fi
136f875b4ebSrica}
137f875b4ebSrica
1388700009eSricasetup_tx_changes(){
1398700009eSrica#
1408700009eSrica# No comments or blanks lines allowed in entries below
1418700009eSrica#
1428700009eSricacat > ${TX_ENTRIES} << EOF
1438700009eSricadtlogin		account		requisite	pam_roles.so.1
1448700009eSricadtlogin		account		required	pam_unix_account.so.1
1458700009eSricadtsession	account		requisite	pam_roles.so.1
1468700009eSricadtsession	account		required	pam_unix_account.so.1
1478700009eSricagdm		account		requisite	pam_roles.so.1
1488700009eSricagdm		account		required	pam_unix_account.so.1
1498700009eSricaxscreensaver	account		requisite	pam_roles.so.1
1508700009eSricaxscreensaver	account		required	pam_unix_account.so.1
1518700009eSricapasswd		account		requisite	pam_roles.so.1
1528700009eSricapasswd		account		required	pam_unix_account.so.1
1538700009eSricadtpasswd	account		requisite	pam_roles.so.1
1548700009eSricadtpasswd	account		required	pam_unix_account.so.1
155c64380fdSricatsoljds-tstripe	account		requisite	pam_roles.so.1
156c64380fdSricatsoljds-tstripe	account		required	pam_unix_account.so.1
1578700009eSricaother		account		required	pam_tsol_account.so.1
1588700009eSricaEOF
1598700009eSrica}
1608700009eSrica
1618700009eSricado_addpam()
1628700009eSrica{
1638700009eSrica	PAM_TMP=/tmp/pam_conf.$$
1648700009eSrica	TX_ENTRIES=$PAM_TMP/sct.$$
1658700009eSrica	PAM_DEST=$ROOT_PATH/etc/pam.conf
1668700009eSrica
1678700009eSrica	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
1688700009eSrica	setup_tx_changes
1698700009eSrica
1708700009eSrica	# verify that pam.conf file exists...
1718700009eSrica	if [ ! -f ${PAM_DEST} ]; then
1728700009eSrica		echo "$0: ${PAM_DEST} not found; aborting"
1738700009eSrica		exit $SMF_EXIT_ERR_FATAL
1748700009eSrica	fi
1758700009eSrica
1768700009eSrica	#
1778700009eSrica	# Update pam.conf to append Trusted Extensions entries if not
1788700009eSrica	# already present.
1798700009eSrica	#
1808700009eSrica	rm -f /tmp/pamconf.$$
1818700009eSrica	while read e1 e2 e3 e4 e5
1828700009eSrica	do
1838700009eSrica		# If this is the 'other' entry, add it unless it already
1848700009eSrica		# exists.
1858700009eSrica		if [ $e1 = "other" ]; then
1868700009eSrica			grep \
1878700009eSrica"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
1888700009eSrica			    $PAM_DEST >/dev/null 2>&1
1898700009eSrica			if [ $? = 1 ] ; then
1908700009eSrica				# Doesn't exist, enter into pam.conf
1918700009eSrica				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
1928700009eSrica				    >> /tmp/pamconf.$$
1938700009eSrica			fi
1948700009eSrica		else
1958700009eSrica			# Add other entries unless they already have a
1968700009eSrica			# stack of their own.
1978700009eSrica			grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
1988700009eSrica			    $PAM_DEST >/dev/null 2>&1
1998700009eSrica			if [ $? = 1 ] ; then
2008700009eSrica				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
2018700009eSrica				    >> /tmp/pamconf.$$
2028700009eSrica			fi
2038700009eSrica		fi
2048700009eSrica	done < ${TX_ENTRIES}
2058700009eSrica	# Append TX lines if any were not present already.
2068700009eSrica	if [ -f /tmp/pamconf.$$ ] ; then
2078700009eSrica		echo "# Entries for Trusted Extensions" >> $PAM_DEST
2088700009eSrica		cat /tmp/pamconf.$$ >> $PAM_DEST
2098700009eSrica		echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
2108700009eSrica		echo "$0: please examine/update any new entries"
2118700009eSrica    		rm -f /tmp/pamconf.$$
2128700009eSrica    	fi
2138700009eSrica
2148700009eSrica	rm -rf $PAM_TMP
2158700009eSrica}
2168700009eSrica
2178700009eSricado_pamremove()
2188700009eSrica{
2198700009eSrica	PAM_TMP=/tmp/pam_conf.$$
2208700009eSrica	TX_ENTRIES=$PAM_TMP/sct.$$
2218700009eSrica	PAM_DEST=$ROOT_PATH/etc/pam.conf
2228700009eSrica	TMPFILE=$PAM_TMP/pam.conf
2238700009eSrica
2248700009eSrica	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
2258700009eSrica
2268700009eSrica	# verify that pam.conf file exists...
2278700009eSrica	if [ ! -f ${PAM_DEST} ]; then
2288700009eSrica		echo "$0: ${PAM_DEST} not found; aborting"
2298700009eSrica		exit $SMF_EXIT_ERR_FATAL
2308700009eSrica	fi
2318700009eSrica
2328700009eSrica
2338700009eSrica	grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
2348700009eSrica	if [ $? -ne 0 ]; then
2358700009eSrica		echo "$0: pam_tsol_account module not present,"
2368700009eSrica		echo "$0: No changes were made to $PAM_DEST."
2378700009eSrica		return
2388700009eSrica	fi
2398700009eSrica
2408700009eSrica	grep -v pam_tsol_account $PAM_DEST > $TMPFILE
2418700009eSrica	echo "$0: $PAM_DEST "tsol" entries removed"
2428700009eSrica	cp $TMPFILE $PAM_DEST
2438700009eSrica
2448700009eSrica	rm -rf $PAM_TMP
2458700009eSrica}
2468700009eSrica
247f875b4ebSricado_commonstart()
248f875b4ebSrica{
249f875b4ebSrica	echo "$0: Updating $ROOT_PATH/etc/system..."
250f875b4ebSrica	if [ ! -f ${ROOT_PATH}/etc/system ]; then
251f875b4ebSrica		touch ${ROOT_PATH}/etc/system
252f875b4ebSrica	fi
253f875b4ebSrica
254f875b4ebSrica	# Set sys_labeling in etc/system
255f875b4ebSrica	grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
256f875b4ebSrica	echo "set sys_labeling=1" >> /tmp/etc.system.$$
257f875b4ebSrica	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
258f875b4ebSrica	grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
259f875b4ebSrica	if [ $? -ne 0 ]; then
260f875b4ebSrica    		echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
261f875b4ebSrica		exit $SMF_EXIT_ERR_FATAL
262f875b4ebSrica	fi
263f875b4ebSrica
264f875b4ebSrica	# Setup dependent services
265f875b4ebSrica	do_otherservices
266f875b4ebSrica
267f875b4ebSrica	do_logindev
268*269f47deSThuy Fettig	do_audit_devalloc
269f875b4ebSrica	do_nscd
2708700009eSrica	do_addpam
2718700009eSrica
2728700009eSrica	do_bootupd
273f875b4ebSrica}
274f875b4ebSrica
275e9958a6cSjpkdo_servicetag_register()
276e9958a6cSjpk{
277e9958a6cSjpk	ROOTDIR=$1
278e9958a6cSjpk	SOL_ARCH=`/sbin/uname -p`
279e9958a6cSjpk	SOL_VERS=`/sbin/uname -r`
280e9958a6cSjpk	TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
281e9958a6cSjpk
282e9958a6cSjpk	if [ ! -x /usr/bin/stclient ]; then
283e9958a6cSjpk		return
284e9958a6cSjpk	fi
285e9958a6cSjpk
286e9958a6cSjpk	# if already registered then do nothing more here
287e9958a6cSjpk	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
288e9958a6cSjpk	if [ -n "$inst" ]; then
289e9958a6cSjpk		# this instance id was saved in a SMF property
290e9958a6cSjpk		/usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
291e9958a6cSjpk		if [ $? = 0 ]; then
292e9958a6cSjpk			# matching service tag found, so do nothing
293e9958a6cSjpk			return
294e9958a6cSjpk		else
295e9958a6cSjpk			# no match for instance id saved in SMF property
296e9958a6cSjpk			/usr/sbin/svccfg -s $SMF_FMRI delprop \
297e9958a6cSjpk			    labeld/svctag_inst
298e9958a6cSjpk			/usr/sbin/svcadm refresh $SMF_FMRI
299e9958a6cSjpk		fi
300e9958a6cSjpk	fi
301e9958a6cSjpk
302e9958a6cSjpk
303e9958a6cSjpk	# fall through: no service tag, or does not match saved instance id
304e9958a6cSjpk
305e9958a6cSjpk	# determine the urn of the parent (Solaris)
306e9958a6cSjpk	SOL_PROD_URN=""
307e9958a6cSjpk	case $SOL_VERS in
308e9958a6cSjpk	5.11)
309e9958a6cSjpk		SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
310e9958a6cSjpk		;;
311e9958a6cSjpk	5.10)
312e9958a6cSjpk		SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
313e9958a6cSjpk		;;
314e9958a6cSjpk	esac
315e9958a6cSjpk
316e9958a6cSjpk	# add the service tag
317e9958a6cSjpk	RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions"	\
318e9958a6cSjpk	    -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN	\
319e9958a6cSjpk	    -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
320e9958a6cSjpk	if [ $? = 0 ]; then
321e9958a6cSjpk		# save instance id in SMF property
322e9958a6cSjpk		inst=`echo "$RC" | grep -i urn|awk -F=  '{print $2}'`
323e9958a6cSjpk		/usr/sbin/svccfg -s $SMF_FMRI setprop \
324e9958a6cSjpk		    labeld/svctag_inst = astring: "$inst"
325e9958a6cSjpk		/usr/sbin/svcadm refresh $SMF_FMRI
326e9958a6cSjpk	fi
327e9958a6cSjpk}
328e9958a6cSjpk
329e9958a6cSjpkdo_servicetag_delete()
330e9958a6cSjpk{
331e9958a6cSjpk	if [ ! -x /usr/bin/stclient ]; then
332e9958a6cSjpk		return
333e9958a6cSjpk	fi
334e9958a6cSjpk
335e9958a6cSjpk	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
336e9958a6cSjpk
337e9958a6cSjpk	if [ -n "$inst" ]; then
338e9958a6cSjpk		# delete service tag
339e9958a6cSjpk		/usr/bin/stclient -d -i $inst
340e9958a6cSjpk		# delete saved instance id
341e9958a6cSjpk		/usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
342e9958a6cSjpk		/usr/sbin/svcadm refresh $SMF_FMRI
343e9958a6cSjpk	fi
344e9958a6cSjpk}
345e9958a6cSjpk
346f875b4ebSrica
347f875b4ebSricadaemon_start()
348f875b4ebSrica{
349f875b4ebSrica	# If a labeld door exists, check for a labeld process and exit
350f875b4ebSrica	# if the daemon is already running.
351f875b4ebSrica	if [ -r /var/tsol/doors/labeld ]; then
352f875b4ebSrica		if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
353f875b4ebSrica			echo "$0: labeld is already running"
354f875b4ebSrica			exit $SMF_EXIT_ERR_FATAL
355f875b4ebSrica		fi
356f875b4ebSrica	fi
357f875b4ebSrica	/usr/bin/rm -f /var/tsol/doors/labeld
358f875b4ebSrica	/usr/lib/labeld
359f875b4ebSrica}
360f875b4ebSrica
361f875b4ebSricaPATH=/usr/sbin:/usr/bin; export PATH
362f875b4ebSrica
363f875b4ebSricacase "$1" in
364f875b4ebSrica'start')
365f875b4ebSrica	if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
366f875b4ebSrica		# native
367f875b4ebSrica
368f875b4ebSrica		if [ -z "$SMF_FMRI" ]; then
369f875b4ebSrica			echo "$0: this script can only be invoked by smf(5)"
370f875b4ebSrica			exit $SMF_EXIT_ERR_NOSMF
371f875b4ebSrica		fi
372f875b4ebSrica
373f875b4ebSrica		tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
374f875b4ebSrica		if [ "$tx_enabled" = "false" ]; then
375f875b4ebSrica			# A sign of trying temporary enablement...no-no
376f875b4ebSrica			echo "$0: Temporarily enabling Trusted Extensions is not allowed."
377f875b4ebSrica			exit $SMF_EXIT_ERR_CONFIG
378f875b4ebSrica		fi
379f875b4ebSrica
380f875b4ebSrica		if (smf_is_system_labeled); then
38115a2c753Sjpk			do_servicetag_register /
382f875b4ebSrica			daemon_start
383f875b4ebSrica			exit $SMF_EXIT_OK
384f875b4ebSrica		fi
385f875b4ebSrica
386f875b4ebSrica		# Make changes to enable Trusted Extensions
387f875b4ebSrica		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
388f875b4ebSrica		if [ $? -eq 0 ]; then
389f875b4ebSrica			echo "$0: already enabled. Exiting."
390f875b4ebSrica			exit $SMF_EXIT_OK
391f875b4ebSrica		fi
392f875b4ebSrica
393f875b4ebSrica		if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
394f875b4ebSrica			echo "$0: Must remove zones before enabling Trusted Extensions."
395f875b4ebSrica			exit $SMF_EXIT_ERR_CONFIG
396f875b4ebSrica		fi
397f875b4ebSrica
398f875b4ebSrica		do_commonstart
399f875b4ebSrica
400e9958a6cSjpk		do_servicetag_register /
401e9958a6cSjpk
402f875b4ebSrica		# start daemon proccess so our service doesn't go into
403f875b4ebSrica		# maintenance state
404f875b4ebSrica		daemon_start
405f875b4ebSrica
406f875b4ebSrica		echo "$0: Started.  Must reboot and configure Trusted Extensions."
407f875b4ebSrica	else
408f875b4ebSrica		# Support jumpstart etc
409f875b4ebSrica
410f875b4ebSrica		# Make changes to enable Trusted Extensions
411f875b4ebSrica		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
412f875b4ebSrica		if [ $? -eq 0 ]; then
413f875b4ebSrica			echo "$0: already enabled. Exiting."
414f875b4ebSrica			exit $SMF_EXIT_OK
415f875b4ebSrica		fi
416f875b4ebSrica
417f875b4ebSrica		# Setup dependent services
418f875b4ebSrica		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
419f875b4ebSrica			/usr/sbin/svcadm enable -s svc:/system/labeld:default
420f875b4ebSrica__TRUSTED_ENABLE
421f875b4ebSrica
422f875b4ebSrica		do_commonstart
423e9958a6cSjpk		do_servicetag_register $ROOT_PATH
424f875b4ebSrica		echo "$0: Started.  Must configure Trusted Extensions before booting."
425f875b4ebSrica	fi
426f875b4ebSrica	;;
427f875b4ebSrica
428f875b4ebSrica'stop')
429f875b4ebSrica	tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
430f875b4ebSrica	if [ "$tx_enabled" = "true" ]; then
431f875b4ebSrica		/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
432f875b4ebSrica		exit $SMF_EXIT_OK
433f875b4ebSrica	fi
434f875b4ebSrica
435f875b4ebSrica	if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
436f875b4ebSrica		echo "$0: Must remove zones before disabling Trusted Extensions."
437f875b4ebSrica		exit $SMF_EXIT_ERR_CONFIG
438f875b4ebSrica	fi
439f875b4ebSrica
440f875b4ebSrica	# Stop Trusted services.
441f875b4ebSrica	/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
442f875b4ebSrica	/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
443f875b4ebSrica
444583b61f6Saj	# Uncomment audio, usb, removable-media, and hotpluggable device
445583b61f6Saj	# entries in /etc/logindevperm.
446583b61f6Saj	rewrite_logindev "#" ""
447f875b4ebSrica
448f875b4ebSrica	# Remove sys_labeling from /etc/system
449f875b4ebSrica	grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
450f875b4ebSrica	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
451f875b4ebSrica	grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
452f875b4ebSrica	if [ $? -eq 0 ]; then
453f875b4ebSrica    		echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
454f875b4ebSrica		exit $SMF_EXIT_ERR_FATAL
455f875b4ebSrica	fi
456f875b4ebSrica
4578700009eSrica	do_pamremove
458e9958a6cSjpk	do_servicetag_delete
4598700009eSrica
460f875b4ebSrica	do_bootupd
461f875b4ebSrica
462f875b4ebSrica	/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
463f875b4ebSrica	echo "$0: Stopped.  Will take effect at next boot."
464f875b4ebSrica	;;
465f875b4ebSrica
466f875b4ebSrica*)
467f875b4ebSrica	echo "Usage: $0 { start | stop }"
468f875b4ebSrica	exit 1
469f875b4ebSrica	;;
470f875b4ebSricaesac
471f875b4ebSrica
472f875b4ebSricaexit $SMF_EXIT_OK
473f875b4ebSrica
474e9958a6cSjpk
475