🥇Imodeli yokuhanjiswa kwamalungelo asisinyanzelo kwiFreeBSD

Intshayelelo

Ukubonelela ngenqanaba elongezelelweyo lokhuseleko lomncedisi, ungasebenzisa imodeli yesigunyaziso unikezelo lokufikelela. Olu papasho luza kuchaza ukuba ungayisebenzisa njani i-apache entolongweni ngokufikelela kuphela kulawo macandelo afuna ufikelelo lwe-apache kunye ne-php ukuze isebenze ngokuchanekileyo. Ukusebenzisa lo mgaqo, awukwazi ukunciphisa i-Apache kuphela, kodwa kunye naso nasiphi na esinye isitaki.

Ukulungiselela

Le ndlela ilungele kuphela inkqubo yefayile ye-ufs; kulo mzekelo, ii-zfs ziya kusetyenziswa kwinkqubo ephambili, kunye ne-ufs entolongweni, ngokulandelelanayo. Inyathelo lokuqala kukwakha kwakhona i-kernel; xa ufaka iFreeBSD, faka ikhowudi yomthombo.
Emva kokuba inkqubo ifakiwe, hlela ifayile:

/usr/src/sys/amd64/conf/GENERIC

Kufuneka udibanise umgca omnye kuphela kule fayile:

options     MAC_MLS

I-ml / ileyibhile ephezulu iya kuba nesikhundla esiphezulu phezu kwe-ml / ileyibhile ephantsi, izicelo eziza kuqaliswa nge-ml / ileyibhile ephantsi aziyi kukwazi ukufikelela kwiifayile ezine-ml / ileyibhile ephezulu. Iinkcukacha ezingakumbi malunga nazo zonke iithegi ezikhoyo kwinkqubo yeFreeBSD zinokufumaneka kule ubunkokheli.
Okulandelayo, yiya kwi/usr/src directory:

cd /usr/src

Ukuqala ukwakha i-kernel, sebenzisa (kwiqhosha lika-j, khankanya inani leecores kwinkqubo):

make -j 4 buildkernel KERNCONF=GENERIC

Emva kokuba i-kernel iqulunqwe, kufuneka ifakwe:

make installkernel KERNCONF=GENERIC

Emva kokufaka i-kernel, musa ukukhawuleza ukuqalisa kwakhona inkqubo, kuba kuyimfuneko ukuthumela abasebenzisi kwiklasi yokungena, emva kokuyiqwalasela ngaphambili. Hlela ifayile /etc/login.conf, kule fayile kufuneka uhlele iklasi yokungena engagqibekanga, yizise kwifom:

default:
        :passwd_format=sha512:
        :copyright=/etc/COPYRIGHT:
        :welcome=/etc/motd:
        :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:
        :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:
        :nologin=/var/run/nologin:
        :cputime=unlimited:
        :datasize=unlimited:
        :stacksize=unlimited:
        :memorylocked=64K:
        :memoryuse=unlimited:
        :filesize=unlimited:
        :coredumpsize=unlimited:
        :openfiles=unlimited:
        :maxproc=unlimited:
        :sbsize=unlimited:
        :vmemoryuse=unlimited:
        :swapuse=unlimited:
        :pseudoterminals=unlimited:
        :kqueues=unlimited:
        :umtxp=unlimited:
        :priority=0:
        :ignoretime@:
        :umask=022:
        :label=mls/equal:

Umgca :label=mls/equal uya kuvumela abasebenzisi abangamalungu ale klasi ukuba bafikelele kwiifayile eziphawulwe ngayo nayiphi na ileyibhile (mls/low, mls/high). Emva kobu buchule, kufuneka uphinde wakhe isiseko sedatha kwaye ubeke ingcambu yomsebenzisi (kunye nabo bayidingayo) kolu didi lokungena:

cap_mkdb /etc/login.conf
pw usermod root -L default

Ukuze umgaqo-nkqubo usebenze kuphela kwiifayile, kufuneka uhlele ifayile /etc/mac.conf, ushiye umgca omnye kuphela kuyo:

default_labels file ?mls

Kwakhona kufuneka udibanise imodyuli ye-mac_mls.ko kwi-autorun:

echo 'mac_mls_load="YES"' >> /boot/loader.conf

Emva koku, unokuphinda uqalise ngokukhuselekileyo inkqubo. Uyila njani Ejele Unokuyifunda kwenye yeempapasho zam. Kodwa ngaphambi kokudala intolongo, kufuneka udibanise i-hard drive kwaye wenze inkqubo yefayile kuyo kwaye wenze i-multilabel kuyo, yenza inkqubo yefayile ye-ufs2 enobungakanani beqela le-64kb:

newfs -O 2 -b 64kb /dev/ada1
tunefs -l enable /dev/ada1

Emva kokudala inkqubo yefayile kunye nokongeza i-multilabel, kufuneka udibanise i-hard drive kwi-/etc/fstab, yongeza umgca kule fayile:

/dev/ada1               /jail  ufs     rw              0       1

Kwi-Mountpoint, khankanya ulawulo apho uya kukhwela i-hard drive; kwi-Pass, qiniseka ukuba ukhankanya u-1 (kuluphi na ulandelelwano le hard drive iya kukhangelwa) - oku kuyimfuneko, kuba inkqubo yefayile ye-ufs inovakalelo kucutho lwamandla ngequbuliso. . Emva kwala manyathelo, nyusa idiski:

mount /dev/ada1 /jail

Faka ijele kolu luhlu. Emva kokuba intolongo iqhuba, kufuneka wenze ukuguqulwa okufanayo kuyo njengeyona ndlela iphambili kunye nabasebenzisi kunye neefayile /etc/login.conf, /etc/mac.conf.

Yenza ngokwezifiso

Ngaphambi kokufaka iithegi eziyimfuneko, ndincoma ukufaka zonke iipakethe eziyimfuneko; kwimeko yam, iithegi ziya kusekwa kuthathelwa ingqalelo ezi phakheji:

mod_php73-7.3.4_1              PHP Scripting Language
php73-7.3.4_1                  PHP Scripting Language
php73-ctype-7.3.4_1            The ctype shared extension for php
php73-curl-7.3.4_1             The curl shared extension for php
php73-dom-7.3.4_1              The dom shared extension for php
php73-extensions-1.0           "meta-port" to install PHP extensions
php73-filter-7.3.4_1           The filter shared extension for php
php73-gd-7.3.4_1               The gd shared extension for php
php73-gettext-7.3.4_1          The gettext shared extension for php
php73-hash-7.3.4_1             The hash shared extension for php
php73-iconv-7.3.4_1            The iconv shared extension for php
php73-json-7.3.4_1             The json shared extension for php
php73-mysqli-7.3.4_1           The mysqli shared extension for php
php73-opcache-7.3.4_1          The opcache shared extension for php
php73-openssl-7.3.4_1          The openssl shared extension for php
php73-pdo-7.3.4_1              The pdo shared extension for php
php73-pdo_sqlite-7.3.4_1       The pdo_sqlite shared extension for php
php73-phar-7.3.4_1             The phar shared extension for php
php73-posix-7.3.4_1            The posix shared extension for php
php73-session-7.3.4_1          The session shared extension for php
php73-simplexml-7.3.4_1        The simplexml shared extension for php
php73-sqlite3-7.3.4_1          The sqlite3 shared extension for php
php73-tokenizer-7.3.4_1        The tokenizer shared extension for php
php73-xml-7.3.4_1              The xml shared extension for php
php73-xmlreader-7.3.4_1        The xmlreader shared extension for php
php73-xmlrpc-7.3.4_1           The xmlrpc shared extension for php
php73-xmlwriter-7.3.4_1        The xmlwriter shared extension for php
php73-xsl-7.3.4_1              The xsl shared extension for php
php73-zip-7.3.4_1              The zip shared extension for php
php73-zlib-7.3.4_1             The zlib shared extension for php
apache24-2.4.39

Kulo mzekelo, iilebhile ziya kusekwa kuthathelwa ingqalelo ukuxhomekeka kwezi phakheji. Kunjalo, ungayenza lula: kwi/usr/local/lib ifolda kunye neefayile ezikuluhlu, seta ii-ml/ileyibhile ezisezantsi kunye neepakethe ezilandelayo ezifakiweyo (umzekelo, izongezo ezongezelelweyo zephp) ziya kukwazi ukufikelela. iilayibrari kolu lawulo, kodwa kubonakala kubhetele kum ukunika ufikelelo kuphela kwezo fayile ziyimfuneko. Misa intolongo kwaye usete ii-ml / iilebhile eziphezulu kuzo zonke iifayile:

setfmac -R mls/high /jail

Xa useta amanqaku, inkqubo iya kunqunyanyiswa ukuba i-setfmac idibana namakhonkco anzima, kumzekelo wam ndicime amakhonkco anzima kolu luhlu lulandelayo:

/var/db/etcupdate/current/
/var/db/etcupdate/current/etc
/var/db/etcupdate/current/usr/share/openssl/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.ISO8859-15
/var/db/etcupdate/current/usr/share/man/en.UTF-8
/var/db/etcupdate/current/usr/share/nls
/etc/ssl
/usr/local/etc
/usr/local/etc/fonts/conf.d
/usr/local/openssl

Emva kokuba iilebhile zisetiwe, kufuneka usete ii-ml/low labels ze-apache, into yokuqala ekufuneka uyenzile kukufumanisa ukuba zeziphi iifayile ezifunekayo ukuqala i-apache:

ldd /usr/local/sbin/httpd

Emva kokuphumeza lo myalelo, ukuxhomekeka kuya kuboniswa kwikhusi, kodwa ukucwangcisa iileyibhile eziyimfuneko kwezi fayile akuyi kwanela, kuba abalawuli apho ezi fayile zibekwe khona bane mls/ileyibhile ephezulu, ke aba balawuli nabo kufuneka babhalwe. mls/phantsi. Xa uqala, i-apache iya kukhupha kwakhona iifayile eziyimfuneko ukuyiqhuba, kwaye kwiphp ezi zixhomekeke zifumaneka kwi-httpd-error.log log.

setfmac mls/low /
setfmac mls/low /usr/local/lib/libpcre.so.1
setfmac mls/low /usr/local/lib/libaprutil-1.so.0
setfmac mls/low /usr/local/lib/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/libgdbm.so.6
setfmac mls/low /usr/local/lib/libexpat.so.1
setfmac mls/low /usr/local/lib/libapr-1.so.0
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /lib/libc.so.7
setfmac mls/low /usr/local/lib/libintl.so.8
setfmac mls/low /var
setfmac mls/low /var/run
setfmac mls/low /var/log
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac mls/low /var/run/httpd.pid
setfmac mls/low /lib
setfmac mls/low /lib/libcrypt.so.5
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0
setfmac mls/low /usr/local/lib/db5/libdb-5.3.so.0.0.0
setfmac mls/low /usr/local/lib/db5
setfmac mls/low /usr/local/lib
setfmac mls/low /libexec
setfmac mls/low /libexec/ld-elf.so.1
setfmac  mls/low /dev
setfmac  mls/low /dev/random
setfmac  mls/low /usr/local/libexec
setfmac  mls/low /usr/local/libexec/apache24
setfmac  mls/low /usr/local/libexec/apache24/*
setfmac  mls/low /etc/pwd.db
setfmac  mls/low /etc/passwd
setfmac  mls/low /etc/group
setfmac  mls/low /etc/
setfmac  mls/low /usr/local/etc
setfmac -R mls/low /usr/local/etc/apache24
setfmac mls/low /usr
setfmac mls/low /usr/local
setfmac mls/low /usr/local/sbin
setfmac mls/low /usr/local/sbin/*
setfmac -R mls/low /usr/local/etc/rc.d/
setfmac mls/low /usr/local/sbin/htcacheclean
setfmac mls/low /var/log/httpd-access.log
setfmac mls/low /var/log/httpd-error.log
setfmac -R mls/low /usr/local/www
setfmac mls/low /usr/lib
setfmac mls/low /tmp
setfmac -R mls/low /usr/local/lib/php
setfmac -R mls/low /usr/local/etc/php
setfmac mls/low /usr/local/etc/php.conf
setfmac mls/low /lib/libelf.so.2
setfmac mls/low /lib/libm.so.5
setfmac mls/low /usr/local/lib/libxml2.so.2
setfmac mls/low /lib/libz.so.6
setfmac mls/low /usr/lib/liblzma.so.5
setfmac mls/low /usr/local/lib/libiconv.so.2
setfmac mls/low /usr/lib/librt.so.1
setfmac mls/low /lib/libthr.so.3
setfmac mls/low /usr/local/lib/libpng16.so.16
setfmac mls/low /usr/lib/libbz2.so.4
setfmac mls/low /usr/local/lib/libargon2.so.0
setfmac mls/low /usr/local/lib/libpcre2-8.so.0
setfmac mls/low /usr/local/lib/libsqlite3.so.0
setfmac mls/low /usr/local/lib/libgd.so.6
setfmac mls/low /usr/local/lib/libjpeg.so.8
setfmac mls/low /usr/local/lib/libfreetype.so
setfmac mls/low /usr/local/lib/libfontconfig.so.1
setfmac mls/low /usr/local/lib/libtiff.so.5
setfmac mls/low /usr/local/lib/libwebp.so.7
setfmac mls/low /usr/local/lib/libjbig.so.2
setfmac mls/low /usr/lib/libssl.so.8
setfmac mls/low /lib/libcrypto.so.8
setfmac mls/low /usr/local/lib/libzip.so.5
setfmac mls/low /etc/resolv.conf

Olu luhlu luqulethe iithegi ze-ml/ezisezantsi kuzo zonke iifayile eziyimfuneko ekusebenzeni okuchanekileyo kwe-apache kunye nendibaniselwano yephp (kwezo phakheji zifakwe kumzekelo wam).

Ukuchukumisa okokugqibela kuya kuba kukulungisa intolongo ukuba iqhube kwinqanaba le-ml / elilinganayo, kunye ne-apache kwi-mls / inqanaba eliphantsi. Ukuqala intolongo, kufuneka wenze utshintsho kwiskripthi /etc/rc.d/jail, fumana i-jail_start imisebenzi kwesi script, utshintshe umyalelo oguquguqukayo kwifomu:

command="setpmac mls/equal $jail_program"

Umyalelo we-setpmac uqhuba ifayile ephunyeziweyo kwinqanaba lekhono elifunekayo, kule meko mls/equal, ukuze ube nokufikelela kuzo zonke iilebhile. Kwi-apache kufuneka uhlele iskripthi sokuqalisa /usr/local/etc/rc.d/apache24. Guqula apache24_prestart umsebenzi:

apache24_prestart() {
        apache24_checkfib
        apache24_precmd
        eval "setpmac mls/low" ${command} ${apache24_flags}
}

В esemthethweni Le ncwadana iqulethe omnye umzekelo, kodwa andizange ndikwazi ukuyisebenzisa kuba ndihlala ndifumana umyalezo malunga nokungakwazi ukusebenzisa umyalelo we-setpmac.

isiphelo

Le ndlela yokuhambisa ukufikelela iya kongeza inqanaba elongezelelweyo lokhuseleko kwi-apache (nangona le ndlela ifanelekile kuyo nayiphi na enye i-stack), eyongezelelweyo iqhube entolongweni, ngexesha elifanayo, kumlawuli konke oku kuya kwenzeka ngokucacileyo kwaye kungabonakali.

Uluhlu lwemithombo eyandincedayo ekubhaleni olu papasho:

https://www.freebsd.org/doc/ru_RU.KOI8-R/books/handbook/mac.html

umthombo: www.habr.com

Imodeli yokuhanjiswa kwamalungelo okunyanzeliswa kwi-FreeBSD

Intshayelelo

Ukulungiselela

Yenza ngokwezifiso

isiphelo

Yongeza izimvo Phendula impendulo