Selelekela
Ho fana ka boemo bo eketsehileng ba ts'ireletso ea seva, u ka e sebelisa kabo ya phihlello. Sengoliloeng sena se tla hlalosa kamoo u ka tsamaisang apache teronkong ka phihlello ea likarolo tse hlokang phihlello ea apache le php ho sebetsa ka nepo. U sebelisa molao-motheo ona, u ka fokotsa Apache feela, empa le stack efe kapa efe.
Ho lokisetsa
Mokhoa ona o loketse feela tsamaiso ea faele ea ufs; mohlala ona, zfs e tla sebelisoa tsamaisong e kholo, le ufs chankaneng, ka ho latellana. Mohato oa pele ke ho aha kernel bocha; ha o kenya FreeBSD, kenya khoutu ea mohloli.
Ka mor'a hore tsamaiso e kenngoe, fetola faele:
/usr/src/sys/amd64/conf/GENERIC
U hloka feela ho kenya mola o le mong faeleng ena:
options MAC_MLS
Leibole ea mls/high e tla ba le boemo bo ka sehloohong holim'a label ea mls/low, lits'ebetso tse tla qalisoa ka mls/low label li ke ke tsa khona ho fihlella lifaele tse nang le li-mils/high label. Lintlha tse ling mabapi le li-tag tsohle tse fumanehang tsamaisong ea FreeBSD li ka fumanoa ho sena .
E latelang, e-ea ho /usr/src directory:
cd /usr/src
Ho qala ho haha kernel, matha (ka j key, hlalosa palo ea li-cores tsamaisong):
make -j 4 buildkernel KERNCONF=GENERIC
Ka mor'a hore kernel e hlophisitsoe, e tlameha ho kenngoa:
make installkernel KERNCONF=GENERIC
Ka mor'a ho kenya kernel, u se ke ua potlakela ho tsosolosa tsamaiso, kaha ho hlokahala hore u fetisetse basebelisi sehlopheng sa ho kena, kaha u se u se hlophisitse pele. Fetola faele ea /etc/login.conf, faeleng ena u hloka ho hlophisa sehlopha sa ho kena sa kamehla, se tlise foromong:
default:
:passwd_format=sha512:
:copyright=/etc/COPYRIGHT:
:welcome=/etc/motd:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
:nologin=/var/run/nologin:
:cputime=unlimited:
:datasize=unlimited:
:stacksize=unlimited:
:memorylocked=64K:
:memoryuse=unlimited:
:filesize=unlimited:
:coredumpsize=unlimited:
:openfiles=unlimited:
:maxproc=unlimited:
:sbsize=unlimited:
:vmemoryuse=unlimited:
:swapuse=unlimited:
:pseudoterminals=unlimited:
:kqueues=unlimited:
:umtxp=unlimited:
:priority=0:
:ignoretime@:
:umask=022:
:label=mls/equal:
Mohala :label=mls/equal o tla lumella basebelisi bao e leng litho tsa sehlopha sena ho fumana lifaele tse tšoailoeng ka label efe kapa efe (mls/low, mls/high). Kamora ho qhekella hona, o hloka ho aha database bocha mme o behe mosebelisi (hammoho le ba e hlokang) sehlopheng sena sa ho kena:
cap_mkdb /etc/login.conf
pw usermod root -L default
E le hore pholisi e sebetse feela lifaeleng, u lokela ho fetola faele ea /etc/mac.conf, u siee mola o le mong feela ho eona:
default_labels file ?mls
U boetse u hloka ho kenyelletsa mac_mls.ko module ho autorun:
echo 'mac_mls_load="YES"' >> /boot/loader.conf
Ka mor'a sena, o ka tsosolosa tsamaiso ka mokhoa o sireletsehileng. Mokhoa oa ho bopa U ka e bala ho e ’ngoe ea lingoliloeng tsa ka. Empa pele o theha chankana, o hloka ho kenya hard drive mme o thehe sistimi ea faele ho eona mme o nolofalletse multilabel ho eona, theha sistimi ea faele ea ufs2 e nang le boholo ba sehlopha sa 64kb:
newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1
Kamora ho theha sistimi ea faele le ho eketsa li-multilabel, o hloka ho kenyelletsa hard drive ho / etc/fstab, eketsa mohala faeleng ena:
/dev/ada1 /jail ufs rw 0 1
Ho Mountpoint, hlakisa bukana eo u tla kenya hard drive ho eona; ho Pass, etsa bonnete ba hore o hlakisa 1 (ka tatellano efe eo hard drive e tla hlahlojoa ka eona) - sena sea hlokahala, kaha sistimi ea faele ea ufs e ela hloko ho fokotseha ha motlakase ka tšohanyetso. . Ka mor'a mehato ena, kenya disk:
mount /dev/ada1 /jail
Kenya chankana bukeng ena. Ka mor'a hore chankana e sebetse, u lokela ho etsa maqheka a tšoanang ho eona joaloka tsamaiso e kholo le basebelisi le lifaele /etc/login.conf, /etc/mac.conf.
phetoho
Pele o kenya li-tag tse hlokahalang, ke khothaletsa ho kenya liphutheloana tsohle tse hlokahalang; molemong oa ka, li-tag li tla beoa ho nahanoa ka liphutheloana tsena:
mod_php73-7.3.4_1 PHP Scripting Language
php73-7.3.4_1 PHP Scripting Language
php73-ctype-7.3.4_1 The ctype shared extension for php
php73-curl-7.3.4_1 The curl shared extension for php
php73-dom-7.3.4_1 The dom shared extension for php
php73-extensions-1.0 "meta-port" to install PHP extensions
php73-filter-7.3.4_1 The filter shared extension for php
php73-gd-7.3.4_1 The gd shared extension for php
php73-gettext-7.3.4_1 The gettext shared extension for php
php73-hash-7.3.4_1 The hash shared extension for php
php73-iconv-7.3.4_1 The iconv shared extension for php
php73-json-7.3.4_1 The json shared extension for php
php73-mysqli-7.3.4_1 The mysqli shared extension for php
php73-opcache-7.3.4_1 The opcache shared extension for php
php73-openssl-7.3.4_1 The openssl shared extension for php
php73-pdo-7.3.4_1 The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1 The pdo_sqlite shared extension for php
php73-phar-7.3.4_1 The phar shared extension for php
php73-posix-7.3.4_1 The posix shared extension for php
php73-session-7.3.4_1 The session shared extension for php
php73-simplexml-7.3.4_1 The simplexml shared extension for php
php73-sqlite3-7.3.4_1 The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1 The tokenizer shared extension for php
php73-xml-7.3.4_1 The xml shared extension for php
php73-xmlreader-7.3.4_1 The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1 The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1 The xmlwriter shared extension for php
php73-xsl-7.3.4_1 The xsl shared extension for php
php73-zip-7.3.4_1 The zip shared extension for php
php73-zlib-7.3.4_1 The zlib shared extension for php
apache24-2.4.39
Mohlaleng ona, lileibole li tla beoa ho nahanoa ka ho its'etleha ha liphutheloana tsena. Ehlile, o ka e etsa ka mokhoa o bonolo: bakeng sa foldara ea / usr/local/lib le lifaele tse fumanehang bukeng ena, beha li-labels tsa mls/low le liphutheloana tse kentsoeng tse latelang (mohlala, li-extensions tse ling tsa php) li tla khona ho fihlella. lilaebraring tse bukeng ena, empa ho bonahala ho le molemo ho 'na ho fana ka phihlello ea lifaele tse hlokahalang feela. Emisa chankana 'me u behe li-ml/high labels lifaeleng tsohle:
setfmac -R mls/high /jail
Ha u beha matšoao, ts'ebetso e tla emisoa haeba setfmac e kopana le lihokelo tse thata, mohlala oa ka ke hlakotse lihokelo tse thata ho li-directory tse latelang:
/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl
Ka mor'a hore li-label li behoe, u lokela ho beha li-label tsa mls / low bakeng sa apache, ntho ea pele eo u lokelang ho e etsa ke ho fumana hore na ke lifaele life tse hlokahalang ho qala apache:
ldd /usr/local/sbin/httpd
Ka mor'a ho phethahatsa taelo ena, litšepiso li tla hlahisoa skrineng, empa ho beha li-label tse hlokahalang lifaeleng tsena ho ke ke ha lekana, kaha li-directory tseo lifaele tsena li leng ho tsona li na le li-mls/high label, kahoo li-directory tsena le tsona li lokela ho ngoloa. mls/tlase. Ha o qala, apache e tla boela e hlahise lifaele tse hlokahalang ho e tsamaisa, 'me bakeng sa php litšepiso tsena li ka fumanoa ho httpd-error.log log.
setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac mls/low /dev
setfmac mls/low /dev/random
setfmac mls/low /usr/local/libexec
setfmac mls/low /usr/local/libexec/apache24
setfmac mls/low /usr/local/libexec/apache24/*
setfmac mls/low /etc/pwd.db
setfmac mls/low /etc/passwd
setfmac mls/low /etc/group
setfmac mls/low /etc/
setfmac mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf
Lethathamo lena le na le li-tag tsa mls / low bakeng sa lifaele tsohle tse hlokahalang bakeng sa ts'ebetso e nepahetseng ea motsoako oa apache le php (bakeng sa liphutheloana tse kentsoeng mohlaleng oa ka).
Taba ea ho qetela e tla ba ho lokisa chankana hore e sebetse boemong ba mls/e lekanang, le apache boemong ba mls/low. Ho qala chankana, o hloka ho etsa liphetoho ho /etc/rc.d/jail script, fumana mesebetsi ea jail_start ho script ena, fetola taelo e fapaneng ho ea ho foromo:
command="setpmac mls/equal $jail_program"
Taelo ea setpmac e tsamaisa faele e ka phethisoang boemong bo hlokahalang ba bokhoni, tabeng ena mls/equal, e le hore u fumane li-labels tsohle. Ho apache o hloka ho hlophisa sengoloa sa ho qala /usr/local/etc/rc.d/apache24. Fetola mosebetsi oa apache24_prestart:
apache24_prestart() {
apache24_checkfib
apache24_precmd
eval "setpmac mls/low" ${command} ${apache24_flags}
}
В Buka ena e na le mohlala o mong, empa ha kea khona ho e sebelisa hobane ke ne ke lula ke fumana molaetsa oa ho se khone ho sebelisa taelo ea setpmac.
fihlela qeto e
Mokhoa ona oa ho aba phihlello o tla eketsa boemo bo eketsehileng ba ts'ireletso ho apache (le hoja mokhoa ona o loketse stack leha e le efe e 'ngoe), eo ho phaella moo e mathang teronkong, ka nako e ts'oanang, bakeng sa mookameli sena sohle se tla etsahala ka mokhoa o hlakileng le o sa hlokomeleheng.
Lethathamo la mehloli e nthusitseng ho ngola sengoliloeng sena:
Source: www.habr.com