Horudhac
Si aad u bixiso heer dheeraad ah oo amniga serverka ah, waxaad isticmaali kartaa
Tababarka
Habkani wuxuu kaliya ku habboon yahay nidaamka faylka ufs; Tusaalahan, zfs waxaa loo isticmaali doonaa nidaamka ugu muhiimsan, iyo ufs xabsiga, siday u kala horreeyaan. Tallaabada ugu horreysa waa in dib loo dhiso kernel-ka; marka la rakibayo FreeBSD, rakib code isha.
Ka dib markii nidaamka la rakibo, tafatir faylka:
/usr/src/sys/amd64/conf/GENERIC
Waxaad u baahan tahay inaad hal sadar ku darto faylkan:
options MAC_MLS
mls/calaamad sare waxay yeelan doontaa meel ka saraysa mls/calaamada hoose, codsiyada lagu bilaabi doono mls/sumadda hoose ma awoodaan inay galaan faylasha leh mls/sumadda sare. Faahfaahin dheeraad ah oo ku saabsan dhammaan calaamadaha la heli karo ee nidaamka FreeBSD ayaa laga heli karaa tan
Marka xigta, u gudub tusaha/usr/src:
cd /usr/src
Si aad u bilowdo dhisidda kernel-ka, ku orod (furaha j, sheeg tirada xudunta nidaamka):
make -j 4 buildkernel KERNCONF=GENERIC
Ka dib marka kernel-ka la sameeyo, waa in la rakibaa:
make installkernel KERNCONF=GENERIC
Ka dib marka la rakibo kernel-ka, ha ku degdegin inaad dib u bilowdo nidaamka, maadaama ay lagama maarmaan tahay in loo wareejiyo dadka isticmaala fasalka gelitaanka, iyadoo hore loo habeeyey. Tafatir faylka /etc/login.conf, faylkan waxaad u baahan tahay inaad wax ka beddesho fasalka galitaanka caadiga ah, keen foomka:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Xariiqda :label=mls/equal waxay u ogolaanaysaa isticmaalayaasha xubnaha ka ah fasalkan inay galaan faylalka lagu calaamadeeyay calaamad kasta (mls/low, mls/high). Wax-is-daba-marintan ka dib, waxaad u baahan tahay inaad dib u dhisto kaydka xogta oo aad geliso isticmaalaha xididka (iyo sidoo kale kuwa u baahan) fasalkan gelitaanka:
cap_mkdb /etc/login.conf
pw usermod root -L default
Si siyaasaddu ay ugu dabaqdo faylalka oo keliya, waxaad u baahan tahay inaad wax ka beddesho faylka /etc/mac.conf, adigoo ka tegaya hal sadar oo keliya:
default_labels file ?mls
Waxa kale oo aad u baahan tahay inaad ku darto moduleka mac_mls.ko si aad u maamusho:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Taas ka dib, waxaad si badbaado leh dib u bilaabi kartaa nidaamka. Sida loo abuuro
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Kadib abuurista nidaamka faylka oo aad ku darto calaamado badan, waxaad u baahan tahay inaad ku darto darawalka adag /etc/fstab, ku dar khadka faylkan:
/dev/ada1 /jail ufs rw 0 1
Mountpoint, sheeg tusaha aad ku dhejin doonto darawalka adag; Pass, hubi inaad sheegto 1 (intee isku xigxiga darawalkan adag ayaa la hubin doonaa) - tani waa lagama maarmaan, maadaama nidaamka faylka ufs uu xasaasi u yahay goynta degdega ah ee korontada . Tallaabooyinkan ka dib, ku dheji diskka:
mount /dev/ada1 /jail
Ku rakib xabsiga buuggan. Ka dib markii xabsiga uu socdo, waxaad u baahan tahay inaad sameyso wax isdaba marin la mid ah sida nidaamka ugu muhiimsan ee isticmaala iyo faylasha /etc/login.conf, /etc/mac.conf.
sixitaanka
Ka hor inta aan la rakibin calaamadaha lagama maarmaanka ah, waxaan ku talinayaa in la rakibo dhammaan xirmooyinka lagama maarmaanka ah; xaaladdeyda, tags ayaa la dejin doonaa iyada oo la tixgelinayo xirmooyinkan:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Tusaalahan, sumadaha ayaa la dejin doonaa iyadoo la tixgalinayo ku tiirsanaanta xirmooyinkan. Dabcan, waxaad si fudud u sameyn kartaa: galka / usr / local / lib iyo faylasha ku yaal buuggan, deji mls / calaamado hoose iyo xirmooyinka xiga ee rakibay (tusaale, kordhin dheeraad ah oo loogu talagalay php) waxay awoodi doonaan inay galaan Maktabadaha ku jira tusahan, laakiin waxa ay ila tahay in ay ii roon tahay in aan helo faylalkaas loo baahan yahay oo keliya. Jooji xabsiga oo dhig mls/calaamado sare dhammaan faylasha:
setfmac -R mls/high /jail
Marka calaamadaynta la dejiyo, habka waa la joojin doonaa haddii setfmac uu la kulmo xiriiriyeyaal adag, tusaale ahaan waxaan tirtiray xiriiriyeyaasha adag ee tilmaamaha soo socda:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Ka dib marka calaamadaha la dejiyo, waxaad u baahan tahay inaad dejiso mls/calaamadaha hoose ee apache, waxa ugu horreeya ee aad u baahan tahay inaad samayso waa inaad ogaataa faylasha loo baahan yahay si loo bilaabo apache:
ldd /usr/local/sbin/httpd
Kadib fulinta amarkan, ku-tiirsanaanta ayaa lagu soo bandhigi doonaa shaashadda, laakiin dejinta calaamadaha lagama maarmaanka ah ee faylalkani kuma filna, maadaama hagayaasha ay ku yaalliin faylalkani ay leeyihiin summadda mls/sare, markaa hagahan sidoo kale waxay u baahan yihiin in la calaamadiyo. mls/hoose. Markaad bilaabayso, apache waxay sidoo kale soo saari doontaa faylasha lagama maarmaanka ah si loo socodsiiyo, iyo php kuwan ku tiirsanaanta waxaa laga heli karaa httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Liiskani waxa uu ka kooban yahay mls/ tags hoose ee dhammaan faylasha lagama maarmaanka u ah hawlgalka saxda ah ee apache iyo php isku darka (xirmooyinkaas lagu rakibay tusaalahayga).
Taabashada kama dambaysta ah waxay noqon doontaa in la habeeyo xabsiga si uu ugu shaqeeyo mls/heer siman, iyo apache heerka mls/hoose. Si aad u bilowdo xabsiga, waxaad u baahan tahay inaad isbeddel ku samayso qoraalka /etc/rc.d/jail, ka hel hawlaha jail_start qoraalkan, u beddel amarka doorsoomiyaha foomka:
command="setpmac mls/equal $jail_program"
Amarka setpmac wuxuu maamulaa faylka la fulin karo heerka kartida ee loo baahan yahay, kiiskan mls/equal, si loo helo dhammaan calaamadaha. Gudaha apache waxaad u baahan tahay inaad wax ka beddesho qoraalka bilowga /usr/local/etc/rc.d/apache24. Beddel shaqada apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
Π
gunaanad
Habkan qaybinta helitaanka wuxuu ku dari doonaa heer dheeraad ah oo ammaan ah apache (inkasta oo habkani uu ku habboon yahay xirmo kasta), kaas oo marka lagu daro xabsiga ku socdo, isla mar ahaantaana, maamulaha waxaas oo dhan waxay u dhici doonaan si hufan oo aan la ogaan karin.
Liiska ilaha iga caawiyay qoritaanka daabacadan:
Source: www.habr.com