Mau oyamba
Kuti mupereke mulingo wowonjezera wachitetezo cha seva, mutha kugwiritsa ntchito mwayi wogawa. Bukuli lifotokoza momwe mungayendetsere apache m'ndende ndi mwayi wopeza magawo omwe amafunikira kuti apache ndi php azigwira ntchito moyenera. Pogwiritsa ntchito mfundoyi, simungathe kuchepetsa Apache, komanso stack ina iliyonse.
Kukonzekera
Njirayi ndi yoyenera pa fayilo ya ufs yokha; mu chitsanzo ichi, zfs idzagwiritsidwa ntchito mu dongosolo lalikulu, ndi ufs m'ndende, motsatira. Gawo loyamba ndikumanganso kernel; mukakhazikitsa FreeBSD, yikani gwero lachitsime.
Dongosolo likakhazikitsidwa, sinthani fayilo:
/usr/src/sys/amd64/conf/GENERIC
Mungowonjezera mzere umodzi pafayilo iyi:
options MAC_MLS
Ma mls/high label adzakhala ndi udindo waukulu pa ma mls/low label, mapulogalamu omwe adzayambitsidwe ndi mls/low label sangathe kupeza mafayilo omwe ali ndi ma mls/high label. Zambiri zama tag onse omwe amapezeka mu FreeBSD system zitha kupezeka mu izi .
Kenako, pitani ku /usr/src chikwatu:
cd /usr/src
Kuti muyambe kupanga kernel, thamangani (mu kiyi j, tchulani kuchuluka kwa ma cores mu dongosolo):
make -j 4 buildkernel KERNCONF=GENERIC
Pambuyo pakupanga kernel, iyenera kukhazikitsidwa:
make installkernel KERNCONF=GENERIC
Mukakhazikitsa kernel, musathamangire kuyambiranso dongosolo, chifukwa ndikofunikira kusamutsa ogwiritsa ntchito ku kalasi yolowera, mutayikonza kale. Sinthani fayilo ya /etc/login.conf, mufayiloyi muyenera kusintha kalasi yolowera, bweretsani ku mawonekedwe:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Mzere :label=mls/equal udzalola ogwiritsa ntchito omwe ali mgululi kupeza mafayilo omwe amalembedwa ndi zilembo zilizonse (mls/low, mls/high). Pambuyo paziwonetserozi, muyenera kumanganso nkhokwe ndikuyika wogwiritsa ntchito mizu (komanso omwe amafunikira) m'gulu lolowera ili:
cap_mkdb /etc/login.conf
pw usermod root -L default
Kuti ndondomekoyi igwire ntchito pamafayilo okha, muyenera kusintha fayilo ya /etc/mac.conf, ndikusiya mzere umodzi wokha mmenemo:
default_labels file ?mls
Muyeneranso kuwonjezera mac_mls.ko module kuti autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Zitatha izi, mukhoza kuyambiransoko bwinobwino dongosolo. Momwe mungapangire Mutha kuliwerenga m'modzi mwa zofalitsa zanga. Koma musanapange ndende, muyenera kuwonjezera hard drive ndikupanga fayilo payo ndikuyambitsa ma multilabel pamenepo, pangani fayilo ya ufs2 yokhala ndi masango kukula kwa 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Mukapanga fayilo ndikuwonjezera ma multilabel, muyenera kuwonjezera hard drive ku / etc/fstab, onjezani mzere ku fayiloyi:
/dev/ada1 /jail ufs rw 0 1
Pa Mountpoint, tchulani chikwatu chomwe mungakhazikitse hard drive; mu Pass, onetsetsani kuti mwatchulapo 1 (motani momwe hard drive iyi idzawunikiridwa) - izi ndizofunikira, popeza fayilo ya ufs imakhudzidwa ndi kudulidwa kwadzidzidzi mphamvu. . Pambuyo pa izi, yonjezerani disk:
mount /dev/ada1 /jail
Ikani ndende mu bukhuli. Pambuyo pa ndendeyo, muyenera kuchita zomwezo momwemo monga momwe zilili mu dongosolo lalikulu ndi ogwiritsa ntchito ndi mafayilo /etc/login.conf, /etc/mac.conf.
kusintha
Ndisanakhazikitse ma tag ofunikira, ndikupangira kukhazikitsa mapaketi onse ofunikira; kwa ine, ma tag adzakhazikitsidwa poganizira mapaketi awa:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Muchitsanzo ichi, zilembo zidzakhazikitsidwa potengera kudalira kwa mapaketiwa. Zachidziwikire, mutha kuchita izi mophweka: pa chikwatu cha / usr/local/lib ndi mafayilo omwe ali patsamba lino, ikani ma mls/otsika zilembo ndi ma phukusi omwe adayikidwa (mwachitsanzo, zowonjezera zowonjezera za php) azitha kufikira. malaibulale omwe ali mu bukhuli, koma zikuwoneka bwino kwa ine kuti ndipereke mwayi wopeza mafayilo omwe ali ofunikira. Imitsani ndende ndikuyika ma mls / apamwamba pamafayilo onse:
setfmac -R mls/high /jail
Mukayika zizindikiro, ntchitoyi idzayimitsidwa ngati setfmac ikumana ndi maulalo olimba, mu chitsanzo changa ndinachotsa maulalo olimba m'mabuku otsatirawa:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Zolembazo zitakhazikitsidwa, muyenera kukhazikitsa ma mls/low label apache, chinthu choyamba chomwe muyenera kuchita ndikupeza mafayilo omwe amafunikira kuti muyambitse apache:
ldd /usr/local/sbin/httpd
Pambuyo pochita lamuloli, zodalira zidzawonetsedwa pazenera, koma kuyika malemba ofunikira pamafayilowa sikungakhale kokwanira, chifukwa maulalo omwe mafayilowa ali ndi ma mls/high label, kotero kuti zolembazi ziyeneranso kulembedwa. mls/pansi. Poyambira, apache idzatulutsanso mafayilo omwe ali ofunikira kuti ayendetse, ndipo kwa php zodalira izi zitha kupezeka mu httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Mndandandawu uli ndi ma mls/otsika ma tag a mafayilo onse omwe ali ofunikira kuti agwiritse ntchito bwino apache ndi php kuphatikiza (pamaphukusi omwe adayikidwa mu chitsanzo changa).
Kukhudza komaliza kudzakhala kukonza ndende kuti iziyenda pamlingo wa mls / wofanana, ndi apache pa mls / low level. Kuti muyambe ndende, muyenera kusintha /etc/rc.d/jail script, pezani ntchito za jail_start mu script iyi, sinthani lamulo losintha kukhala mawonekedwe:
command="setpmac mls/equal $jail_program"
Lamulo la setpmac limayendetsa fayilo yomwe ingathe kuchitika pamlingo wofunikira, pakadali pano mls/equal, kuti mupeze zolemba zonse. Mu apache muyenera kusintha script /usr/local/etc/rc.d/apache24. Sinthani apache24_prestart ntchito:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π Bukuli lili ndi chitsanzo china, koma sindinathe kuchigwiritsa ntchito chifukwa ndimangokhalira kulandira uthenga woti sindingathe kugwiritsa ntchito lamulo la setpmac.
Pomaliza
Njira iyi yogawira mwayi idzawonjezera chitetezo chowonjezera kwa apache (ngakhale njira iyi ndi yoyenera kwa stack ina iliyonse), yomwe kuwonjezerapo imathamangira m'ndende, nthawi yomweyo, kwa woyang'anira zonsezi zidzachitika mowonekera komanso mosadziwika bwino.
Mndandanda wa magwero omwe adandithandiza polemba bukuli:
Source: www.habr.com