Nhanganyaya
Kuti upe imwe nhanho yekuchengetedzwa kweseva, unogona kushandisa kuwana kugoverwa. Ichi chinyorwa chinotsanangura maitiro aungaita apache mutirongo nekuwana chete kune izvo zvikamu zvinoda kuwana kuti apache uye php ishande nemazvo. Uchishandisa iyi musimboti, iwe unogona kudzikamisa kwete chete Apache, asiwo chero imwe stack.
Kugadzirira kwe
Iyi nzira inokodzera chete ufs faira system; mumuenzaniso uyu, zfs ichashandiswa mune huru sisitimu, uye ufs mujeri, zvichiteerana. Danho rekutanga nderekuvakazve kernel; kana uchiisa FreeBSD, isa iyo kodhi kodhi.
Mushure mekunge system yaiswa, gadzirisa faira:
/usr/src/sys/amd64/conf/GENERIC
Iwe unongoda kuwedzera mutsara mumwe kune iyi faira:
options MAC_MLS
Iyo mls/high label ichange iine chinzvimbo chikuru pamusoro peiyo mls/low label, zvikumbiro zvichatangwa nemls/low label hazvizokwanise kuwana mafaera ane mls/high label. Mamwe ruzivo nezve ese aripo tag muFreeBSD system anogona kuwanikwa mune izvi .
Tevere, enda ku / usr/src dhairekitori:
cd /usr/src
Kutanga kuvaka kernel, mhanya (mune j kiyi, tsanangura huwandu hwemacores muhurongwa):
make -j 4 buildkernel KERNCONF=GENERIC
Mushure mekunge kernel yagadzirwa, inofanira kuiswa:
make installkernel KERNCONF=GENERIC
Mushure mekuisa kernel, usamhanye kudzoreredza sisitimu, sezvo zvichidikanwa kuendesa vashandisi kukirasi yekupinda, wakamboigadzira. Rongedza iyo /etc/login.conf faira, mune iyi faira iwe unofanirwa kugadzirisa iyo default login kirasi, uuye nayo kufomu:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Mutsetse :label=mls/equal uchabvumira vashandisi vari nhengo dzekirasi iyi kuwana mafaera akanyorwa nechero label (mls/low, mls/high). Mushure mekuita izvi, iwe unofanirwa kuvaka patsva dhatabhesi uye woisa mudzi mushandisi (pamwe neavo vanoida) mukirasi ino yekupinda:
cap_mkdb /etc/login.conf
pw usermod root -L default
Kuti mutemo ushande kumafaira chete, unofanirwa kugadzirisa /etc/mac.conf faira, uchisiya mutsara mumwe chete mairi:
default_labels file ?mls
Iwe zvakare unofanirwa kuwedzera iyo mac_mls.ko module kuti autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Mushure meizvi, unogona kutangazve zvakachengeteka system. Kugadzira sei Unogona kuriverenga mune rimwe remabhuku angu. Asi usati wagadzira jeri, unofanirwa kuwedzera hard drive uye kugadzira faira system pairi uye nekugonesa multilabel pairi, gadzira ufs2 faira system ine saizi yeboka re64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Mushure mekugadzira iyo faira system uye nekuwedzera multilabel, iwe unofanirwa kuwedzera hard drive ku /etc/fstab, wedzera mutsara kune iyi faira:
/dev/ada1 /jail ufs rw 0 1
MuMountpoint, tsanangura dhairekitori rauchaisa hard drive; muPass, ive shuwa yekutsanangura 1 (mukutevedzana kweiyi hard drive ichatariswa) - izvi zvinodikanwa, sezvo iyo ufs faira system inonzwa nekukasira kucheka magetsi. . Mushure mematanho aya, isa dhisiki:
mount /dev/ada1 /jail
Isa jeri mudhairekitori iri. Mushure mekunge jeri rave kushanda, unofanirwa kuita manipulations akafanana mairi semugadziriro huru nevashandisi uye mafaira /etc/login.conf, /etc/mac.conf.
kuchinja
Ndisati ndaisa ma tag anodiwa, ini ndinokurudzira kuisa ese anodiwa mapakeji; mune yangu, iwo ma tag anozoiswa uchifunga aya mapakeji:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Mumuenzaniso uyu, mavara achaiswa achifunga nezvekutsamira kwemapakeji aya. Ehe, unogona kuzviita zviri nyore: kune iyo / usr / yemunharaunda / lib folda uye mafaera ari mune ino dhairekitori, isa iyo mls / yakaderera mavara uye anotevera akaiswa mapakeji (semuenzaniso, mamwe ekuwedzera ephp) achakwanisa kuwana. maraibhurari ari mune ino dhairekitori, asi zvinoita sezviri nani kwandiri kupa mukana kune iwo mafaera anodiwa chete. Misa jeri uye isa ma mls / akakwirira mavara pamafaira ese:
setfmac -R mls/high /jail
Pakuseta mamaki, maitiro acho achamiswa kana setfmac ikasangana neakaomarara malink, mumuenzaniso wangu ndakadzima zvinongedzo zvakaoma mumadhairekitori anotevera:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Mushure mekunge mabhii aiswa, unofanirwa kuseta ma mls/low labels epache, chinhu chekutanga chaunofanirwa kuita kuona kuti mafaira api anodiwa kutanga apache:
ldd /usr/local/sbin/httpd
Mushure mekuita murairo uyu, kutsamira kucharatidzwa pachiratidziri, asi kuseta mavara anodiwa pamafaira aya hakuzokwani, sezvo madhairekitori mune mafaera aya ane ms/high label, saka aya madhairekitori anodawo kunyorwa. mls/pasi. Paunotanga, apache inoburitsawo mafaera anodiwa kuti aite, uye kune php izvi zvinotsamira zvinogona kuwanikwa mu httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Rondedzero iyi ine mls/yakaderera tag kune ese mafaera anodiwa pakushanda chaiko kweapache uye php musanganiswa (kune iwo mapakeji akaiswa mumuenzaniso wangu).
Kubata kwekupedzisira kuchave kugadzirisa jeri kuti rimhanye pamaml / akaenzana nhanho, uye apache pa mls/low level. Kuti utange jeri, unofanirwa kuita shanduko kune /etc/rc.d/jail script, tsvaga jail_start mabasa mune ino script, shandura chinja chekuraira kuita fomu:
command="setpmac mls/equal $jail_program"
Iyo setpmac command inomhanyisa faira rinogoneka padanho rinodiwa rekugona, mune iyi kesi mls/yakaenzana, kuitira kuti uwane ruzivo rwemavara ese. Mune apache iwe unofanirwa kugadzirisa iyo yekutanga script /usr/local/etc/rc.d/apache24. Shandura iyo apache24_prestart basa:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π Bhuku racho rine mumwe muenzaniso, asi handina kukwanisa kurishandisa nokuti ndakaramba ndichiwana meseji pamusoro pekusakwanisa kushandisa murairo we setpmac.
mhedziso
Iyi nzira yekugovera kuwana ichawedzera imwe nhanho yekuchengetedza kune apache (kunyangwe iyi nzira yakakodzera kune chero imwe stack), iyo mukuwedzera inomhanya mujeri, panguva imwecheteyo, kune maneja zvese izvi zvichaitika pachena uye zvisingaonekwe.
Rondedzero yezvinyorwa zvakandibatsira mukunyora chinyorwa ichi:
Source: www.habr.com