🥇Tauira tohatoha mana mana ki FreeBSD

Whakataki

Hei whakarato i tetahi atu taumata o te haumarutanga tūmau, ka taea e koe te whakamahi tauira mana tohatoha uru. Ma tenei whakaputanga e whakaatu me pehea e taea ai e koe te whakahaere apache i roto i te whare herehere me te uru ki nga waahanga anake e hiahia ana kia uru mai a apache me te php kia tika te mahi. Ma te whakamahi i tenei maataapono, ka taea e koe te whakawhāiti i te Apache anake, engari me etahi atu puranga.

Whakangungu

Ko tenei tikanga e tika ana mo te punaha konae ufs i tenei tauira, ka whakamahia nga zfs ki te punaha matua, me nga ufs i roto i te whare herehere. Ko te mahi tuatahi ko te hanga ano i te kernel i te wa e whakauru ana i te FreeBSD, whakauruhia te waehere puna.
I muri i te whakaurunga o te punaha, whakatikahia te konae:

/usr/src/sys/amd64/conf/GENERIC

Kotahi noa te rarangi ki tenei konae:

options     MAC_MLS

Ko te tapanga mls / teitei ka whai mana nui ki runga i te tapanga mls / iti, ko nga tono ka whakarewahia me te tapanga mls / iti ka kore e taea te uru atu ki nga konae kei a raatau te tohu mls / teitei. Ko etahi atu korero mo nga tohu katoa e waatea ana i te punaha FreeBSD ka kitea i roto i tenei ārahitanga.
Whai muri, haere ki te whaiaronga /usr/src:

cd /usr/src

Hei timata ki te hanga i te kakano, rere (i roto i te j matua, tohua te maha o nga matua o te punaha):

make -j 4 buildkernel KERNCONF=GENERIC

I muri i te whakahiato o te kernel, me whakauru:

make installkernel KERNCONF=GENERIC

I muri i te whakauru i te kernel, kaua e tere ki te whakaara ano i te punaha, na te mea he mea tika ki te whakawhiti i nga kaiwhakamahi ki te karaehe takiuru, kua whirihorahia i mua. Whakatikaina te kōnae /etc/login.conf, i tenei konae me whakatika koe i te karaehe takiuru taunoa, kawea ki te puka:

default:
        :passwd_format=sha512:
        :copyright=/etc/COPYRIGHT:
        :welcome=/etc/motd:
        :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
        :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
        :nologin=/var/run/nologin:
        :cputime=unlimited:
        :datasize=unlimited:
        :stacksize=unlimited:
        :memorylocked=64K:
        :memoryuse=unlimited:
        :filesize=unlimited:
        :coredumpsize=unlimited:
        :openfiles=unlimited:
        :maxproc=unlimited:
        :sbsize=unlimited:
        :vmemoryuse=unlimited:
        :swapuse=unlimited:
        :pseudoterminals=unlimited:
        :kqueues=unlimited:
        :umtxp=unlimited:
        :priority=0:
        :ignoretime@:
        :umask=022:
        :label=mls/equal:

Ko te raina :label=mls/equal ka taea e nga kaiwhakamahi o tenei karaehe te uru ki nga konae kua tohua ki tetahi tapanga (mls/iti, mls/tiketike). I muri i enei mahi whanoke, me hanga ano e koe te paataka korero me te tuu i te kaiwhakamahi pakiaka (me te hunga e hiahia ana) ki tenei akomanga takiuru:

cap_mkdb /etc/login.conf
pw usermod root -L default

Kia pa ai te kaupapa here ki nga konae anake, me whakatika e koe te konae /etc/mac.conf, ka waiho kia kotahi noa te rarangi:

default_labels file ?mls

Me taapiri ano koe i te mac_mls.ko kōwae ki te whakahaere aunoa:

echo 'mac_mls_load="YES"' >> /boot/loader.conf

I muri i tenei, ka taea e koe te whakaara ano i te punaha. Me pehea te hanga whare herehere Ka taea e koe te panui i tetahi o aku panui. Engari i mua i te hanga whare herehere, me taapiri koe i te puku pakeke me te hanga i tetahi punaha konae ki runga ka taea ai te tapanga maha ki runga, hangaia he punaha konae ufs2 me te rahi o te tautau 64kb:

newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1

Whai muri i te hanga i te punaha konae me te taapiri i te tapanga maha, me taapiri koe i te puku pakeke ki /etc/fstab, taapirihia te raina ki tenei konae:

/dev/ada1               /jail  ufs     rw              0       1

I roto i te Mountpoint, tohua te whaiaronga e mau ai koe i te puku pakeke i roto i te Pass, kia mohio koe ki te tohu i te 1 (he aha te raupapa ka tirohia tenei puku pakeke) - he mea tika tenei, na te mea he awangawanga te punaha konae ufs ki nga tapahi hiko ohorere. . Whai muri i enei mahi, whakairihia te kōpae:

mount /dev/ada1 /jail

Tāutahia te whare herehere ki tēnei whaiaronga. I muri i te whakahaerenga o te whare herehere, me mahi ano koe i nga mahi raweke i roto i te punaha matua me nga kaiwhakamahi me nga konae /etc/login.conf, /etc/mac.conf.

whakatikatikanga

I mua i te whakauru i nga tohu e tika ana, ka tūtohu ahau ki te whakauru i nga kohinga e tika ana mo taku keehi, ka whakatauhia nga tohu ki enei kohinga:

mod_php73-7.3.4_1              PHP Scripting Language
php73-7.3.4_1                  PHP Scripting Language
php73-ctype-7.3.4_1            The ctype shared extension for php
php73-curl-7.3.4_1             The curl shared extension for php
php73-dom-7.3.4_1              The dom shared extension for php
php73-extensions-1.0           "meta-port" to install PHP extensions
php73-filter-7.3.4_1           The filter shared extension for php
php73-gd-7.3.4_1               The gd shared extension for php
php73-gettext-7.3.4_1          The gettext shared extension for php
php73-hash-7.3.4_1             The hash shared extension for php
php73-iconv-7.3.4_1            The iconv shared extension for php
php73-json-7.3.4_1             The json shared extension for php
php73-mysqli-7.3.4_1           The mysqli shared extension for php
php73-opcache-7.3.4_1          The opcache shared extension for php
php73-openssl-7.3.4_1          The openssl shared extension for php
php73-pdo-7.3.4_1              The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1       The pdo_sqlite shared extension for php
php73-phar-7.3.4_1             The phar shared extension for php
php73-posix-7.3.4_1            The posix shared extension for php
php73-session-7.3.4_1          The session shared extension for php
php73-simplexml-7.3.4_1        The simplexml shared extension for php
php73-sqlite3-7.3.4_1          The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1        The tokenizer shared extension for php
php73-xml-7.3.4_1              The xml shared extension for php
php73-xmlreader-7.3.4_1        The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1           The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1        The xmlwriter shared extension for php
php73-xsl-7.3.4_1              The xsl shared extension for php
php73-zip-7.3.4_1              The zip shared extension for php
php73-zlib-7.3.4_1             The zlib shared extension for php
apache24-2.4.39

I tenei tauira, ka whakatauhia nga tapanga ma te whakaaro ki nga whakawhirinakitanga o enei kohinga. Ko te tikanga, ka taea e koe te mahi ngawari ake: mo te kōpaki /usr/local/lib me nga konae kei roto i tenei raarangi, tautuhia nga tapanga mls/iti me nga kohinga whakauru ka whai ake (hei tauira, taapiri atu mo te php) ka uru nga whare pukapuka i roto i tenei raarangi, engari he pai ake ki ahau te tuku uru ki nga konae e tika ana. Kati te whare herehere me te whakatakoto i nga tapanga mls/tiketike ki nga konae katoa:

setfmac -R mls/high /jail

I te wa e tautuhi ana i nga tohu, ka mutu te mahi mena ka tutaki a setfmac ki nga hononga pakeke, i taku tauira i mukua e ahau nga hononga pakeke i roto i nga raarangi e whai ake nei:

/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl

I muri i te tautuhi i nga tapanga, me tautuhi koe i nga tapanga mls / iti mo te apache, ko te mea tuatahi e hiahia ana koe ki te kimi he aha nga kōnae e hiahiatia ana hei timata i te apache:

ldd /usr/local/sbin/httpd

Whai muri i te mahi i tenei whakahau, ka whakaatuhia nga whakawhirinakitanga ki runga i te mata, engari ko te whakatakoto i nga tapanga e tika ana ki runga i enei konae kare e ranea, na te mea kei nga raarangi kei roto enei konae te tapanga mls/tiketike, no reira me tohu ano enei raarangi. mls/iti. I te wa e timata ana, ka whakaputa ano a apache i nga konae e tika ana hei whakahaere, a mo te php ka kitea enei whakawhirinaki ki te httpd-error.log rangitaki.

setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac  mls/low /dev
setfmac  mls/low /dev/random
setfmac  mls/low /usr/local/libexec
setfmac  mls/low /usr/local/libexec/apache24
setfmac  mls/low /usr/local/libexec/apache24/*
setfmac  mls/low /etc/pwd.db
setfmac  mls/low /etc/passwd
setfmac  mls/low /etc/group
setfmac  mls/low /etc/
setfmac  mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf

Kei roto i tenei rarangi nga tohu mls / iti mo nga konae katoa e tika ana mo te mahi tika o te huinga apache me te php (mo aua kohinga kua whakauruhia ki taku tauira).

Ko te pa whakamutunga ko te whirihora i te whare herehere kia rere ki te taumata mls / rite, me te apache i te taumata mls / iti. Hei timata i te whare herehere, me whakarereke koe ki te /etc/rc.d/jail script, kimihia nga mahi jail_start i roto i tenei tuhinga, hurihia te taurangi whakahau ki te ahua:

command="setpmac mls/equal $jail_program"

Ko te whakahau setpmac e whakahaere ana i te konae ka taea te whakahaere i te taumata kaha e hiahiatia ana, i tenei keehi mls/rite, kia whai waahi ai ki nga tapanga katoa. I roto i te apache me whakatika koe i te tuhinga whakaoho /usr/local/etc/rc.d/apache24. Hurihia te mahi apache24_prestart:

apache24_prestart() {
        apache24_checkfib
        apache24_precmd
        eval "setpmac mls/low" ${command} ${apache24_flags}
}

В rangatira Kei roto i te pukapuka tetahi atu tauira, engari kaore i taea e au te whakamahi na te mea i mau tonu taku korero mo te kore e taea te whakamahi i te whakahau setpmac.

mutunga

Ko tenei tikanga tohatoha urunga ka taapiri atu i te taumata haumarutanga ki te apache (ahakoa he pai tenei tikanga mo etahi atu puranga), hei taapiri ka rere ki roto i te whare herehere, i te wa ano, mo te kaiwhakahaere ka puta mai enei mea katoa me te kore e kitea.

Te rarangi o nga puna i awhina i ahau ki te tuhi i tenei panui:

https://www.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac.html

Source: will.com

Tauira tohatoha mana mana ki FreeBSD

Whakataki

Whakangungu

whakatikatikanga

mutunga

Tāpiri i te kōrero whakakore whakautu