OpenSolaris_b135/pkgdefs/SUNWsckmr/postinstall

#! /usr/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#pragma ident	"%Z%%M%	%I%	%E% SMI"
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

IPSECINIT="$BASEDIR/etc/inet/ipsecinit.conf"

#
# Update IPsec policy configuration file only if installed
# on a Sun Fire 15000.
#
platform=`uname -i`
starcat="SUNW,Sun-Fire-15000"
if [ ${platform} != "${starcat}" ]; then
	exit 0
fi

issue_warning=0

#
# Function to update ipsecinit.conf if necessary.
#
# Usage:
#	remove_ipsecinit_entry  sport|dport  service  apply|permit \
#		auth_algs  [sa_state]
#
# Note: If an entry exists that uses the same (sport|dport)/service
# combination that entry is not removed. This is to prevent
# the removal of any custom policies that might have been established.
#
remove_ipsecinit_entry()
{
	# Build default entries
	if [ $3 = "permit" ]; then
		default="{ $1 $2 ulp tcp } $3 { auth_algs $4 }"
	else
		default="{ $1 $2 ulp tcp } $3 { auth_algs $4 sa $5 }"
	fi

	# Check for a default entry, and remove it
	grep "$default" $IPSECINIT > /dev/null 2>&1
	if [ $? -eq 0 ]; then
		sed "/$default/d" $IPSECINIT > /tmp/ipsec.$$ && \
		    cat /tmp/ipsec.$$ > $IPSECINIT
		rm -f /tmp/ipsec.$$
		return
	fi

	#
	# Check the file for an entry that
	# has a matching (sport|dport)/port pair
	#
	nawk "	BEGIN		{ RS=\"}\" }
		/$1.*$2/	{ exit 1 }
	" $IPSECINIT > /dev/null 2>&1

	# Found a modified entry, just issue a warning
	if [ $? -eq 1 ]; then
		echo "Found a policy for $1 $2 that does not match the" \
		     "default policy"
		issue_warning=1
	fi
}

#
# Perform extra activities if the installation is an Upgrade
# and not an initial installation.
#
upgradeExtras()
{

# Enable the sckmd service on the
# system if it is a SUNW,Sun-Fire-15000 machine.
cat >> $BASEDIR/var/svc/profile/upgrade << \_ENABLE_SCKMD

#
# Enable sckmd if running on a SUNW,Sun-Fire-15000 platform
#
if [ `/sbin/uname -i` = "SUNW,Sun-Fire-15000" ]; then
	/usr/sbin/svcadm enable svc:/platform/sun4u/sckmd:default
fi

_ENABLE_SCKMD
}

#
# The temporary file will be created by the preinstall script
# if the sckmd service is being installed for the first time by
# means of an upgrade. If the temporary file does not exist,
# it is not necessary to take any action.
#
TMPFILE=$BASEDIR/tmp/sckmd.tmp
if [ -f $TMPFILE ]; then
	upgradeExtras
	rm -f $TMPFILE
fi

#
# Remove all of our default policies
#
remove_ipsecinit_entry dport sun-dr permit md5
remove_ipsecinit_entry sport sun-dr apply md5 unique
remove_ipsecinit_entry dport cvc_hostd permit md5
remove_ipsecinit_entry sport cvc_hostd apply md5 unique


if [ $issue_warning -eq 1 ]; then
	echo
	echo "NOTICE: One or more of the default IPsec policies for the"
	echo "Sun Fire 15000 services has been modified. As a result, the"
	echo "modified policy for those services was not removed. Please"
	echo "verify that the /etc/inet/ipsecinit.conf file is correct."
	echo "For more information, refer to sckmd(1M) and ipsecconf(1M)."
	echo
fi

exit 0