Faatomuaga
Ina ia maua se tulaga faaopoopo o le saogalemu o le server, e mafai ona e faaaogaina tufatufaina avanoa. O lenei faʻasalalauga o le a faʻamatalaina pe faʻafefea ona e taʻavale apache i totonu o se falepuipui e naʻo na vaega e manaʻomia le avanoa mo apache ma php e galue saʻo. I le faʻaaogaina o lenei mataupu faavae, e mafai ona e faʻatapulaʻaina e le gata i Apache, ae faʻapea foʻi ma soʻo se isi faaputuga.
Sauniuniga
O lenei metotia e talafeagai mo le faila faila ufs i lenei faʻataʻitaʻiga, o le a faʻaaogaina zfs i le faiga autu, ma ufs i le falepuipui, i le faasologa. O le laasaga muamua o le toe fausia o le fatu pe a faʻapipiʻi FreeBSD, faʻapipiʻi le code source.
A maeʻa ona faʻapipiʻi le faiga, faʻasaʻo le faila:
/usr/src/sys/amd64/conf/GENERIC
E na'o le tasi le laina e te mana'omia e fa'aopoopo i le faila lea:
options MAC_MLS
O le mls / high label o le ai ai se tulaga faʻapitoa i luga o le mls / low label, o talosaga o le a faʻalauiloaina ma le mls / low label o le a le mafai ona maua faila o loʻo i ai le mls / maualuga igoa. E mafai ona maua nisi fa'amatalaga e uiga i fa'ailoga uma o lo'o maua ile FreeBSD system ile mea lea .
Le isi, alu i le /usr/src directory:
cd /usr/src
Ina ia amata fausia le fatu, tamoe (i le j ki, faʻamaonia le numera o 'au i totonu o le polokalama):
make -j 4 buildkernel KERNCONF=GENERIC
A uma ona tuufaatasia le kernel, e tatau ona faʻapipiʻi:
make installkernel KERNCONF=GENERIC
A maeʻa ona faʻapipiʻi le fatu, aua le faanatinati e toe faʻafouina le faiga, talu ai e tatau ona faʻafeiloaʻi tagata faʻaoga i le vasega saini, ina ua uma ona faʻatulagaina. Fa'asa'o le faila /etc/login.conf, i le faila lea e te mana'omia e fa'asa'o ai le vasega fa'aoga fa'aletonu, aumai i le fomu:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Ole laina:label=mls/equal e mafai ai e tagata fa'aoga o sui o lenei vasega ona fa'aoga faila o lo'o fa'ailogaina i so'o se igoa (mls/low, mls/high). A maeʻa nei togafiti, e te manaʻomia le toe fausia o faʻamaumauga ma tuʻu le aʻa faʻaoga (faʻapea foʻi ma i latou e manaʻomia) i lenei vasega ulufale:
cap_mkdb /etc/login.conf
pw usermod root -L default
Ina ia mafai ona faʻaoga le faiga faʻavae i faila, e tatau ona e faʻasaʻo le faila /etc/mac.conf, ae tuʻu ai naʻo le tasi le laina i totonu:
default_labels file ?mls
E te manaʻomia foʻi le faʻaopoopoina o le mac_mls.ko module i le autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
A maeʻa lenei mea, e mafai ona e toe faʻafouina le faiga. Auala e fatu ai E mafai ona e faitau i ai i se tasi o aʻu lomiga. Ae aʻo leʻi faia se falepuipui, e tatau ona e faʻaopoopoina se kesi malo ma fai se faila faila i luga ma faʻatagaina le multilabel i luga, fatuina se faila faila ufs2 ma se fuifui tele o le 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
A maeʻa ona fatuina le faila faila ma faʻaopoopo le multilabel, e tatau ona e faʻaopoopo le kiliva malo i / etc / fstab, faʻaopoopo le laina i lenei faila:
/dev/ada1 /jail ufs rw 0 1
I le Mountpoint, faʻamaonia le lisi e te faʻapipiʻi ai le hard drive i le Pass, ia mautinoa e faʻamaonia le 1 (i le a le faʻasologa o le a siaki lenei kiliva) - e manaʻomia lenei mea, talu ai o le faila faila ufs e maaleale i le motusia faʻafuaseʻi. . A maeʻa laasaga nei, faʻapipiʻi le disk:
mount /dev/ada1 /jail
Fa'apipi'i le falepuipui i le lisi lea. A maeʻa le falepuipui, e tatau ona e faia le faʻaogaina tutusa i totonu e pei o le faiga autu ma tagata faʻaoga ma faila /etc/login.conf, /etc/mac.conf.
tonu
Aʻo leʻi faʻapipiʻi faʻailoga manaʻomia, ou te fautuaina le faʻapipiʻiina o pusa manaʻomia uma i laʻu tulaga, o le a faʻapipiʻi faʻailoga e faʻatatau i nei afifi:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
I lenei fa'ata'ita'iga, o le a fa'atulaga igoa e fa'atatau i fa'alagolago i nei afifi. Ioe, e mafai ona sili atu ona faigofie: mo le / usr / local / lib folder ma faila o loʻo i totonu o lenei lisi, seti mls / low labels ma isi afifi faʻapipiʻi (mo se faʻataʻitaʻiga, faʻaopoopoga faaopoopo mo php) o le a mafai ona maua. faletusi i totonu o lenei lisi, ae e foliga mai e sili atu ia te aʻu le tuʻuina atu na o faila e manaʻomia. Taofi le falepuipui ma seti mls/maualuga igoa i faila uma:
setfmac -R mls/high /jail
Pe a seti faʻailoga, o le a taofia le faagasologa pe a feagai le setfmac ma fesoʻotaʻiga faigata, i laʻu faʻataʻitaʻiga na ou tapeina soʻotaga faigata i faʻamaumauga nei:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
A maeʻa ona faʻapipiʻi igoa, e tatau ona e setiina mls / low labels mo apache, o le mea muamua e tatau ona e faia o le suʻeina lea o faila e manaʻomia e amata ai apache:
ldd /usr/local/sbin/httpd
A maeʻa le faʻatinoina o lenei faʻatonuga, o le a faʻaalia faʻalagolago i luga o le lau, ae o le setiina o igoa talafeagai i luga o nei faila o le a le lava, talu ai o faʻamaumauga o loʻo i ai nei faila o loʻo i ai le mls / maualuga igoa, o lea e manaʻomia ai foi le faʻailogaina o nei lisi. mls/maualalo. A amata, o le a faʻapipiʻiina foi e apache faila e manaʻomia e faʻatautaia ai, ma mo php e mafai ona maua nei faʻalagolago i le httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
O lenei lisi o loʻo i ai mls / low tags mo faila uma e manaʻomia mo le faʻaogaina saʻo o le apache ma le php faʻatasi (mo na afifi o loʻo faʻapipiʻiina i laʻu faʻataʻitaʻiga).
O le paʻi mulimuli o le faʻatulagaina lea o le falepuipui e tamoe i le mls / tutusa tulaga, ma apache i le mls / maualalo tulaga. Ina ia amata le falepuipui, e tatau ona e faia suiga i le /etc/rc.d/jail script, saili le jail_start galuega i lenei tusitusiga, sui le fesuiaiga o le poloaiga i le fomu:
command="setpmac mls/equal $jail_program"
O le setpmac command e faʻatautaia le faila faila i le tulaga manaʻomia, i lenei tulaga mls / tutusa, ina ia mafai ona maua uma igoa. I totonu o le apache e te manaʻomia le faʻasaʻoina o le tusiga amata /usr/local/etc/rc.d/apache24. Suia le galuega apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В O loʻo i ai i le tusi lesona se isi faʻataʻitaʻiga, ae na le mafai ona ou faʻaaogaina ona o loʻo ou maua pea se feʻau e uiga i le le mafai ona faʻaogaina le seti setpmac command.
iʻuga
O lenei metotia o le tufatufaina atu o avanoa o le a faʻaopoopoina ai se tulaga faʻaopoopo o le saogalemu i le apache (e ui lava o lenei metotia e talafeagai mo soʻo se isi faaputuga), lea e faʻaopoopoina i totonu o le falepuipui, i le taimi lava e tasi, mo le pule o nei mea uma o le a tupu manino ma le iloa.
Lisi o punaoa na fesoasoani ia te au i le tusiaina o lenei lomiga:
puna: www.habr.com