Hōʻike
No ka hāʻawi ʻana i kahi pae hou o ka palekana server, hiki iā ʻoe ke hoʻohana ka hoʻohelehele ʻana. E wehewehe ana kēia hoʻolaha pehea e hiki ai iā ʻoe ke holo i ka apache i loko o ka hale paʻahao me ke komo wale ʻana i kēlā mau mea e pono ai ke komo no ka apache a me ka php e hana pono. Me ka hoʻohana ʻana i kēia kumu, hiki iā ʻoe ke kaupalena ʻaʻole ʻo Apache wale nō, akā i kekahi pūʻulu ʻē aʻe.
ʻO ka hoʻomākaukauʻana
He kūpono wale kēia ʻano no ka ʻōnaehana faila ufs; ma kēia hiʻohiʻona, e hoʻohana ʻia nā zfs i ka ʻōnaehana nui, a me nā ufs i loko o ka hale paʻahao. ʻO ka hana mua e kūkulu hou i ka kernel; i ka wā e hoʻokomo ai iā FreeBSD, e hoʻokomo i ke code kumu.
Ma hope o ka hoʻokomo ʻia ʻana o ka ʻōnaehana, hoʻoponopono i ka faila:
/usr/src/sys/amd64/conf/GENERIC
Pono ʻoe e hoʻohui i hoʻokahi laina i kēia faila:
options MAC_MLS
E loaʻa i ka mls / kiʻekiʻe ke kūlana koʻikoʻi ma luna o ka mls / low label, nā noi e hoʻokuʻu ʻia me ka mls / low label ʻaʻole hiki ke komo i nā faila i loaʻa ka mls / kiʻekiʻe. Hiki ke loaʻa nā kikoʻī hou aku e pili ana i nā hōʻailona āpau i ka ʻōnaehana FreeBSD ma kēia .
A laila, e hele i ka papa kuhikuhi / usr/src:
cd /usr/src
No ka hoʻomaka ʻana e kūkulu i ka kernel, holo (ma ke kī j, e kuhikuhi i ka helu o nā cores i ka ʻōnaehana):
make -j 4 buildkernel KERNCONF=GENERIC
Ma hope o ka hōʻuluʻulu ʻana o ka kernel, pono e hoʻokomo ʻia:
make installkernel KERNCONF=GENERIC
Ma hope o ka hoʻokomo ʻana i ka kernel, mai wikiwiki e hoʻihoʻi hou i ka ʻōnaehana, no ka mea pono e hoʻololi i nā mea hoʻohana i ka papa inoa inoa, i hoʻonohonoho mua ʻia. Hoʻoponopono i ka faila /etc/login.conf, ma kēia faila pono ʻoe e hoʻoponopono i ka papa inoa inoa paʻamau, e lawe mai i ke ʻano:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
ʻO ka laina :label=mls/equal e ʻae i nā mea hoʻohana i lālā o kēia papa e komo i nā faila i kaha ʻia me kekahi lepili (mls/low, mls/high). Ma hope o kēia mau manipulations, pono ʻoe e kūkulu hou i ka waihona a kau i ka mea hoʻohana kumu (a me nā mea e pono ai) i kēia papa inoa:
cap_mkdb /etc/login.conf
pw usermod root -L default
I mea e pili ai ke kulekele i nā faila wale nō, pono ʻoe e hoʻoponopono i ka faila /etc/mac.conf, e waiho ana i hoʻokahi laina i loko:
default_labels file ?mls
Pono ʻoe e hoʻohui i ka module mac_mls.ko i autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Ma hope o kēia, hiki iā ʻoe ke hoʻomaka hou i ka ʻōnaehana. Pehea e hana ai Hiki iā ʻoe ke heluhelu ma kekahi o kaʻu mau puke. Ma mua o ka hoʻokumu ʻana i kahi hale paʻahao, pono ʻoe e hoʻohui i kahi paʻa paʻa a hana i kahi ʻōnaehana faila ma luna ona a hiki i ka multilabel ma luna o ia mea, e hana i kahi ʻōnaehana faila ufs2 me ka nui o ka cluster o 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Ma hope o ka hoʻokumu ʻana i ka ʻōnaehana faila a hoʻohui i ka multilabel, pono ʻoe e hoʻohui i ka hard drive i / etc / fstab, hoʻohui i ka laina i kēia faila:
/dev/ada1 /jail ufs rw 0 1
Ma Mountpoint, e kuhikuhi i ka papa kuhikuhi kahi e kau ai ʻoe i ka hard drive; ma Pass, e hōʻoia e kuhikuhi i ka 1 (ma ke ʻano o kēia kaʻina paʻa e nānā ʻia ai) - pono kēia, no ka mea ua maʻalahi ka ʻōnaehana file ufs i ka ʻoki koke ʻana. . Ma hope o kēia mau hana, e kau i ka disk:
mount /dev/ada1 /jail
E hoʻouka i ka hale paʻahao ma kēia papa kuhikuhi. Ma hope o ka holo ʻana o ka hale paʻahao, pono ʻoe e hana i nā manipulations e like me ka ʻōnaehana nui me nā mea hoʻohana a me nā faila /etc/login.conf, /etc/mac.conf.
hoʻoponopono
Ma mua o ka hoʻokomo ʻana i nā hōʻailona pono, ʻōlelo wau e hoʻokomo i nā pūʻolo pono āpau; i koʻu hihia, e hoʻonohonoho ʻia nā hōʻailona me ka noʻonoʻo ʻana i kēia mau pūʻulu:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Ma kēia laʻana, e hoʻonohonoho ʻia nā lepili me ka noʻonoʻo ʻana i nā hilinaʻi o kēia mau pūʻolo. ʻOiaʻiʻo, hiki iā ʻoe ke hana maʻalahi: no ka /usr/local/lib folder a me nā faila i loaʻa i kēia papa kuhikuhi, e hoʻonohonoho i nā lepili mls/low a me nā pūʻolo i hoʻokomo ʻia ma hope (no ka laʻana, nā hoʻonui hou no php) hiki ke komo. nā hale waihona puke i loko o kēia papa kuhikuhi, akā ʻoi aku ka maikaʻi iaʻu e hāʻawi i ke komo wale i kēlā mau faila pono. Hoʻopau i ka hale paʻahao a hoʻonoho i nā lepili mls/kiʻekiʻe ma nā faila āpau:
setfmac -R mls/high /jail
I ka hoʻonohonoho ʻana i nā kaha, e kāpae ʻia ke kaʻina hana inā hālāwai ʻo setfmac i nā loulou paʻakikī, ma kaʻu hiʻohiʻona ua holoi au i nā loulou paʻakikī i nā papa kuhikuhi aʻe:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Ma hope o ka hoʻonohonohoʻana i nā lepili, ponoʻoe e hoʻonohonoho i nā mls / low labels no apache,ʻo ka mea mua āu e hana ai,ʻo ia keʻike i nā faila e pono ai e hoʻomaka i ka apache:
ldd /usr/local/sbin/httpd
Ma hope o ka hoʻokō ʻana i kēia kauoha, e hōʻike ʻia nā hilinaʻi ma ka ʻaoʻao, akā ʻaʻole lawa ka hoʻonohonoho ʻana i nā lepili e pono ai i kēia mau faila, no ka mea, ʻo nā papa kuhikuhi kahi i loaʻa ai kēia mau faila i ka inoa mls/kiʻekiʻe, no laila pono e hoʻopaʻa ʻia kēia mau papa kuhikuhi. mls/haʻahaʻa. I ka hoʻomaka ʻana, e hoʻopuka pū ʻo apache i nā faila e pono ai e holo, a no ka php hiki ke loaʻa kēia mau hilinaʻi ma ka httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Aia kēia papa inoa i nā inoa mls / haʻahaʻa no nā faila āpau e pono ai no ka hana kūpono o ka hui apache a me php (no kēlā mau pūʻulu i hoʻokomo ʻia i kaʻu hiʻohiʻona).
ʻO ka paʻi hope loa e hoʻonohonoho i ka hale paʻahao e holo ma ka mls / pae like, a me ka apache ma ka mls / haʻahaʻa. No ka hoʻomaka ʻana i ka hale paʻahao, pono ʻoe e hoʻololi i ka palapala /etc/rc.d/jail, e ʻimi i nā hana jail_start i kēia ʻatikala, e hoʻololi i ke ʻano kauoha i ke ʻano:
command="setpmac mls/equal $jail_program"
E holo ana ke kauoha setpmac i ka faila hoʻokō i ka pae i koi ʻia, i kēia hihia mls/equal, i hiki ke komo i nā lepili āpau. Ma apache pono ʻoe e hoʻoponopono i ka script hoʻomaka /usr/local/etc/rc.d/apache24. E hoʻololi i ka hana apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Aia i loko o ka manual kahi hiʻohiʻona ʻē aʻe, akā ʻaʻole hiki iaʻu ke hoʻohana ia mea no ka mea ua hoʻomau wau i kahi leka e pili ana i ka hiki ʻole ke hoʻohana i ke kauoha setpmac.
hopena
ʻO kēia ʻano o ka hāʻawi ʻana i ke ala e hoʻohui i kahi pae palekana hou aʻe i ka apache (ʻoiai ua kūpono kēia ʻano no nā waihona ʻē aʻe), kahi e holo ai i loko o ka hale paʻahao, i ka manawa like, no ka luna hoʻomalu e hana ʻia kēia mau mea āpau a maopopo ʻole.
Ka papa inoa o nā kumu i kōkua iaʻu i ke kākau ʻana i kēia puke:
Source: www.habr.com