r471 - community/trunk/SELinux_User_Guide/ru-RU
transif at fedoraproject.org
transif at fedoraproject.org
Thu Jul 29 18:04:35 UTC 2010
Author: transif
Date: 2010-07-29 18:04:34 +0000 (Thu, 29 Jul 2010)
New Revision: 471
Modified:
community/trunk/SELinux_User_Guide/ru-RU/Introduction.po
Log:
l10n: Updates to Russian (ru) translation
Transmitted-via: Transifex (translate.fedoraproject.org)
Modified: community/trunk/SELinux_User_Guide/ru-RU/Introduction.po
===================================================================
--- community/trunk/SELinux_User_Guide/ru-RU/Introduction.po 2010-07-29 17:48:58 UTC (rev 470)
+++ community/trunk/SELinux_User_Guide/ru-RU/Introduction.po 2010-07-29 18:04:34 UTC (rev 471)
@@ -1,424 +1,227 @@
-# SOME DESCRIPTIVE TITLE.
-# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
-#
-#, fuzzy
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
-"POT-Creation-Date: 2010-04-15T00:19:31\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
-"Language-Team: LANGUAGE <kde-i18n-doc at kde.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Type: application/x-xml2pot; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#. Tag: title
-#, no-c-format
-msgid "Introduction"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Security-Enhanced Linux (SELinux) is an implementation of a "
-"<firstterm>mandatory access control</firstterm> mechanism in the Linux "
-"kernel, checking for allowed operations after standard "
-"<firstterm>discretionary access controls</firstterm> are checked. It was "
-"created by the National Security Agency and can enforce rules on files and "
-"processes in a Linux system, and on their actions, based on defined policy."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"When using SELinux, files, including directories and devices, are referred "
-"to as objects. Processes, such as a user running a command or the <trademark "
-"class=\"registered\">Mozilla</trademark><trademark class=\"registered\"> "
-"Firefox</trademark> application, are referred to as subjects. Most operating "
-"systems use a Discretionary Access Control (DAC) system that controls how "
-"subjects interact with objects, and how subjects interact with each other. "
-"On operating systems using DAC, users control the permissions of files "
-"(objects) that they own. For example, on <trademark class=\"registered"
-"\">Linux</trademark> operating systems, users could make their home "
-"directories world-readable, giving users and processes (subjects) access to "
-"potentially sensitive information, with no further protection over this "
-"unwanted action."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Relying on DAC mechanisms alone is fundamentally inadequate for strong "
-"system security. DAC access decisions are only based on user identity and "
-"ownership, ignoring other security-relevant information such as the role of "
-"the user, the function and trustworthiness of the program, and the "
-"sensitivity and integrity of the data. Each user has complete discretion "
-"over their files, making it impossible to enforce a system-wide security "
-"policy. Furthermore, every program run by a user inherits all of the "
-"permissions granted to the user and is free to change access to the user's "
-"files, so no protection is provided against malicious software. Many system "
-"services and privileged programs must run with coarse-grained privileges "
-"that far exceed their requirements, so that a flaw in any one of these "
-"programs could be exploited to obtain further system access.<footnote> "
-"<para> \"Integrating Flexible Support for Security Policies into the Linux "
-"Operating System\", by Peter Loscocco and Stephen Smalley. This paper was "
-"originally prepared for the National Security Agency and is, consequently, "
-"in the public domain. Refer to the <ulink url=\"http://www.nsa.gov/research/"
-"_files/selinux/papers/freenix01/index.shtml\">original paper</ulink> for "
-"details and the document as it was first released. Any edits and changes "
-"were done by Murray McAllister. </para> </footnote>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following is an example of permissions used on Linux operating systems "
-"that do not run Security-Enhanced Linux (SELinux). The permissions and "
-"output in these examples may differ from your system. Use the <command>ls -"
-"l</command> command to view file permissions:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The first three permission bits, <computeroutput>rwx</computeroutput>, "
-"control the access the Linux <computeroutput>user1</computeroutput> user (in "
-"this case, the owner) has to <filename>file1</filename>. The next three "
-"permission bits, <computeroutput>rw-</computeroutput>, control the access "
-"the Linux <computeroutput>group1</computeroutput> group has to "
-"<filename>file1</filename>. The last three permission bits, "
-"<computeroutput>r--</computeroutput>, control the access everyone else has "
-"to <filename>file1</filename>, which includes all users and processes."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the "
-"Linux kernel, and is enabled by default in Fedora. A general purpose MAC "
-"architecture needs the ability to enforce an administratively-set security "
-"policy over all processes and files in the system, basing decisions on "
-"labels containing a variety of security-relevant information. When properly "
-"implemented, it enables a system to adequately defend itself and offers "
-"critical support for application security by protecting against the "
-"tampering with, and bypassing of, secured applications. MAC provides strong "
-"separation of applications that permits the safe execution of untrustworthy "
-"applications. Its ability to limit the privileges associated with executing "
-"processes limits the scope of potential damage that can result from the "
-"exploitation of vulnerabilities in applications and system services. MAC "
-"enables information to be protected from legitimate users with limited "
-"authorization as well as from authorized users who have unwittingly executed "
-"malicious applications.<footnote> <para> \"Meeting Critical Security "
-"Objectives with Security-Enhanced Linux\", by Peter Loscocco and Stephen "
-"Smalley. This paper was originally prepared for the National Security Agency "
-"and is, consequently, in the public domain. Refer to the <ulink url=\"http://"
-"www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml\">original "
-"paper</ulink> for details and the document as it was first released. Any "
-"edits and changes were done by Murray McAllister. </para> </footnote>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following is an example of the labels containing security-relevant "
-"information that are used on processes, Linux users, and files, on Linux "
-"operating systems that run SELinux. This information is called the SELinux "
-"<emphasis>context</emphasis>, and is viewed using the <command>ls -Z</"
-"command> command:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, SELinux provides a user (<computeroutput>unconfined_u</"
-"computeroutput>), a role (<computeroutput>object_r</computeroutput>), a type "
-"(<computeroutput>user_home_t</computeroutput>), and a level "
-"(<computeroutput>s0</computeroutput>). This information is used to make "
-"access control decisions. With DAC, access is controlled based only on Linux "
-"user and group IDs. It is important to remember that SELinux policy rules "
-"are checked <emphasis>after</emphasis> DAC rules. SELinux policy rules are "
-"not used if DAC rules deny access first."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Linux and SELinux Users"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"On Linux operating systems that run SELinux, there are Linux users as well "
-"as SELinux users. SELinux users are part of SELinux policy. Linux users are "
-"mapped to SELinux users. To avoid confusion, this guide uses \"Linux user\" "
-"and \"SELinux user\" to differentiate between the two."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Benefits of running SELinux"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"All processes and files are labeled with a type. A type defines a domain for "
-"processes, and a type for files. Processes are separated from each other by "
-"running in their own domains, and SELinux policy rules define how processes "
-"interact with files, as well as how processes interact with each other. "
-"Access is only allowed if an SELinux policy rule exists that specifically "
-"allows it."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Fine-grained access control. Stepping beyond traditional <trademark class="
-"\"registered\">UNIX</trademark> permissions that are controlled at user "
-"discretion and based on Linux user and group IDs, SELinux access decisions "
-"are based on all available information, such as an SELinux user, role, type, "
-"and, optionally, a level."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux policy is administratively-defined, enforced system-wide, and is not "
-"set at user discretion."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Reduced vulnerability to privilege escalation attacks. One example: since "
-"processes run in domains, and are therefore separated from each other, and "
-"because SELinux policy rules define how processes access files and other "
-"processes, if a process is compromised, the attacker only has access to the "
-"normal functions of that process, and to files the process has been "
-"configured to have access to. For example, if the Apache HTTP Server is "
-"compromised, an attacker can not use that process to read files in user home "
-"directories, unless a specific SELinux policy rule was added or configured "
-"to allow such access."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux can be used to enforce data confidentiality and integrity, as well "
-"as protecting processes from untrusted inputs."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "SELinux is not:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "antivirus software."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "a replacement for passwords, firewalls, or other security systems."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "an all-in-one security solution."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux is designed to enhance existing security solutions, not replace "
-"them. Even when running SELinux, continue to follow good security practices, "
-"such as keeping software up-to-date, using hard-to-guess passwords, "
-"firewalls, and so on."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Examples"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "The following examples demonstrate how SELinux increases security:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The default action is deny. If an SELinux policy rule does not exist to "
-"allow access, such as for a process opening a file, access is denied."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux can confine Linux users. A number of confined SELinux users exist in "
-"SELinux policy. Linux users can be mapped to confined SELinux users to take "
-"advantage of the security rules and mechanisms applied to them. For example, "
-"mapping a Linux user to the SELinux user_u user, results in a Linux user "
-"that is not able to run (unless configured otherwise) set user ID (setuid) "
-"applications, such as <command>sudo</command> and <command>su</command>, as "
-"well as preventing them from executing files and applications in their home "
-"directory - if configured, this prevents users from executing malicious "
-"files from their home directories."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Process separation is used. Processes run in their own domains, preventing "
-"processes from accessing files used by other processes, as well as "
-"preventing processes from accessing other processes. For example, when "
-"running SELinux, unless otherwise configured, an attacker can not compromise "
-"a Samba server, and then use that Samba server as an attack vector to read "
-"and write to files used by other processes, such as databases used by "
-"<trademark class=\"registered\">MySQL</trademark>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux helps limit the damage made by configuration mistakes. <ulink url="
-"\"http://en.wikipedia.org/wiki/Domain_Name_System\">Domain Name System (DNS)"
-"</ulink> servers often replicate information between each other in what is "
-"known as a zone transfer. Attackers can use zone transfers to update DNS "
-"servers with false information. When running the <ulink url=\"https://www."
-"isc.org/software/bind\">Berkeley Internet Name Domain (BIND)</ulink> as a "
-"DNS server in Fedora, even if an administrator forgets to limit which "
-"servers can perform a zone transfer, the default SELinux policy prevents "
-"zone files <footnote> <para> Text files that include information, such as "
-"hostname to IP address mappings, that are used by DNS servers. </para> </"
-"footnote> from being updated via zone transfers, by the BIND <systemitem "
-"class=\"daemon\">named</systemitem> daemon itself, and by other processes."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to the <ulink url=\"http://www.redhatmagazine.com/\"><trademark class="
-"\"registered\">Red Hat</trademark> Magazine</ulink> article, <ulink url="
-"\"http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-"
-"hat-enterprise-linux-4/\">Risk report: Three years of Red Hat Enterprise "
-"Linux 4</ulink><footnote> <para> Cox, Mark. \"Risk report: Three years of "
-"Red Hat Enterprise Linux 4\". Published 26 February 2008. Accessed 27 August "
-"2009: <ulink url=\"http://www.redhatmagazine.com/2008/02/26/risk-report-"
-"three-years-of-red-hat-enterprise-linux-4/\" />. </para> </footnote>, for "
-"exploits that were restricted due to the default SELinux targeted policy in "
-"<trademark class=\"registered\">Red Hat</trademark> Enterprise <trademark "
-"class=\"registered\">Linux</trademark> 4."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to the <ulink url=\"http://www.linuxworld.com\">LinuxWorld.com</ulink> "
-"article, <ulink url=\"http://www.linuxworld.com/news/2008/022408-selinux."
-"html?page=1\">A seatbelt for server software: SELinux blocks real-world "
-"exploits</ulink><footnote> <para> Marti, Don. \"A seatbelt for server "
-"software: SELinux blocks real-world exploits\". Published 24 February 2008. "
-"Accessed 27 August 2009: <ulink url=\"http://www.linuxworld.com/"
-"news/2008/022408-selinux.html?page=1\" />. </para> </footnote>, for "
-"background information about SELinux, and information about various exploits "
-"that SELinux has prevented."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to James Morris's <ulink url=\"http://james-morris.livejournal."
-"com/25421.html\">SELinux mitigates remote root vulnerability in OpenPegasus</"
-"ulink> blog post for information about an exploit in <ulink url=\"http://www."
-"openpegasus.org/\">OpenPegasus</ulink> that was mitigated by SELinux as "
-"shipped with Red Hat Enterprise Linux 4 and 5."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <ulink url=\"http://www.tresys.com/\">Tresys Technology</ulink> website "
-"has an <ulink url=\"http://www.tresys.com/innovation.php\">SELinux "
-"Mitigation News</ulink> section (on the right-hand side), that lists recent "
-"exploits that have been mitigated or prevented by SELinux."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "SELinux Architecture"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux is a Linux security module that is built into the Linux kernel. "
-"SELinux is driven by loadable policy rules. When security-relevant access is "
-"taking place, such as when a process attempts to open a file, the operation "
-"is intercepted in the kernel by SELinux. If an SELinux policy rule allows "
-"the operation, it continues, otherwise, the operation is blocked and the "
-"process receives an error."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux decisions, such as allowing or disallowing access, are cached. This "
-"cache is known as the Access Vector Cache (AVC). Caching decisions decreases "
-"how often SELinux policy rules need to be checked, which increases "
-"performance. Remember that SELinux policy rules have no effect if DAC rules "
-"deny access first."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "SELinux on Other Operating Systems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to the following for information about running SELinux on operating "
-"systems:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Hardened Gentoo: <ulink url=\"http://www.gentoo.org/proj/en/hardened/selinux/"
-"selinux-handbook.xml\" />."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Debian: <ulink url=\"http://wiki.debian.org/SELinux\" />."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Ubuntu: <ulink url=\"https://wiki.ubuntu.com/SELinux\" /> and <ulink url="
-"\"https://help.ubuntu.com/community/SELinux\" />."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Red Hat Enterprise Linux: <ulink url=\"http://www.redhat.com/docs/en-US/"
-"Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html\">Red "
-"Hat Enterprise Linux Deployment Guide</ulink> and <ulink url=\"http://www."
-"redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/\">Red Hat "
-"Enterprise Linux 4 SELinux Guide</ulink>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Fedora: <ulink url=\"http://fedoraproject.org/wiki/SELinux\" /> and the "
-"<ulink url=\"http://docs.fedoraproject.org/selinux-faq-fc5/\">Fedora Core 5 "
-"SELinux FAQ</ulink>."
-msgstr ""
+# SOME DESCRIPTIVE TITLE.
+# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: SELinux User Guide\n"
+"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
+"POT-Creation-Date: 2010-04-15T00:19:31\n"
+"PO-Revision-Date: 2010-07-30 00:03+0500\n"
+"Last-Translator: Alexey Cicin <daydrim at gmail.com>\n"
+"Language-Team: trans-ru <trans-ru at lists.fedoraproject.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Russian\n"
+"X-Poedit-Country: RUSSIAN FEDERATION\n"
+
+#. Tag: title
+#, no-c-format
+msgid "Introduction"
+msgstr "Введение"
+
+#. Tag: para
+#, no-c-format
+msgid "Security-Enhanced Linux (SELinux) is an implementation of a <firstterm>mandatory access control</firstterm> mechanism in the Linux kernel, checking for allowed operations after standard <firstterm>discretionary access controls</firstterm> are checked. It was created by the National Security Agency and can enforce rules on files and processes in a Linux system, and on their actions, based on defined policy."
+msgstr "Linux с улучшенной безопасностью (SELinux) - это реализация мандатного управления доступом <firstterm>mandatory access control</firstterm> в ядре Linux, проверяющего разрешение операций после проверки стандартного дискреционного управления доступом <firstterm>discretionary access controls</firstterm>. SELinux создан Агенством Национальной Безопасности и вводит в действие правила для файлов и процессов в системе Linux, для совершаемых над ними действий, основываясь на установленной политике."
+
+#. Tag: para
+#, no-c-format
+msgid "When using SELinux, files, including directories and devices, are referred to as objects. Processes, such as a user running a command or the <trademark class=\"registered\">Mozilla</trademark><trademark class=\"registered\"> Firefox</trademark> application, are referred to as subjects. Most operating systems use a Discretionary Access Control (DAC) system that controls how subjects interact with objects, and how subjects interact with each other. On operating systems using DAC, users control the permissions of files (objects) that they own. For example, on <trademark class=\"registered\">Linux</trademark> operating systems, users could make their home directories world-readable, giving users and processes (subjects) access to potentially sensitive information, with no further protection over this unwanted action."
+msgstr "При использовании SELinux, файлы, включая директории и устройства являются объектами. Процессы, такие как, выполнение команды пользователем или приложение <trademark class=\"registered\">Mozilla</trademark><trademark class=\"registered\"> Firefox</trademark>, являются субъектами. Большинство операционных систем используют механизм дискретного контроля доступа (Discretionary Access Control (DAC), который контролирует каким образом субъекты взаимодействуют с объектами, и как субъекты взаимодействуют друг с другом. В операционных системах с использованием DAC, пользователи контролируют права д
оступа к файлам (объектам), для которых они являются собственниками. Например, в операционных системах <trademark class=\"registered\">Linux</trademark>, пользователи могут сделать свои домашние директории читаемыми для всех, предоставив пользователям и процессам (субъектам) доступ к потенциально конфеденциальной информации, без какой либо защиты от этого нежелательных действий."
+
+#. Tag: para
+#, no-c-format
+msgid "Relying on DAC mechanisms alone is fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over their files, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so no protection is provided against malicious software. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs could be exploited to obtain further system access.<footnote> <para> \"Integrating Flexible Support for Security Policies into the Linux Operating System\", by Peter Loscocco
and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <ulink url=\"http://www.nsa.gov/research/_files/selinux/papers/freenix01/index.shtml\">original paper</ulink> for details and the document as it was first released. Any edits and changes were done by Murray McAllister. </para> </footnote>"
+msgstr "Полагаться только на механизмы DAC - это фундаментально неверно для построения стойкой системы безопасности. Принятие решения о предоставлении доступа DAC основано только на подлинности пользователя и его правами доступа, игнорируя другую значимую информацию, такую как, роль пользователя, функцию и достоверность (надежность) программы, а также конфиденциальность и целостность данных. У каждого пользователя есть полное разделение прав для файлов, при котором невозможно назначать политику безопасности на уровне системы. Более тог
о, каждая программа запускаемая пользователем наследует все права, предоставленные пользователю, и не ограничена в изменении прав доступа к пользовательским файлам, таким образом, нет никакой защиты против вредоносного программного обеспечения. Множество системных служб и привилегированных программ, должны запускаться с грубо назначенными привилегиями, права на которые превосходят требуемые права, таким образом изъян в любой из этих программ может быть использован эксплоитом для получения доступа к системе. <footnote> <para> \"Integrating Flexi
ble Support for Security Policies into the Linux Operating System\" , Peter Loscocco и Stephen Smalley. Данный документ изначально предназначался для Агенства Национальной Безопасности и следовательно находится в публичном владении. В соответствии с <ulink url=\"http://www.nsa.gov/research/_files/selinux/papers/freenix01/index.shtml\">original paper</ulink> деталями и документом, на основании которых он был выпущен первоначально. Все изменения и редактирования выполнил Murray McAllister. </para> </footnote>"
+
+#. Tag: para
+#, no-c-format
+msgid "The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions and output in these examples may differ from your system. Use the <command>ls -l</command> command to view file permissions:"
+msgstr "Ниже показаны примеры разрешений используемые в операционных системах Linux, которые не используют Linux с улучшенной безопасностью (Security-Enhanced Linux, SELinux). Разрешения и выводы в этих примерах могут отличаться от используемых в реальных системах. Для просмотра разрешений используется команда <command>ls -l</command>:"
+
+#. Tag: para
+#, no-c-format
+msgid "The first three permission bits, <computeroutput>rwx</computeroutput>, control the access the Linux <computeroutput>user1</computeroutput> user (in this case, the owner) has to <filename>file1</filename>. The next three permission bits, <computeroutput>rw-</computeroutput>, control the access the Linux <computeroutput>group1</computeroutput> group has to <filename>file1</filename>. The last three permission bits, <computeroutput>r--</computeroutput>, control the access everyone else has to <filename>file1</filename>, which includes all users and processes."
+msgstr "Первые три бита доступа, <computeroutput>rwx</computeroutput>, управляют доступом пользователя Linux <computeroutput>user1</computeroutput> (в данном случае владельца) к файлу <filename>file1</filename>. Следующие три бита доступа , <computeroutput>rw-</computeroutput>, управляют доступом группы Linux <computeroutput>group1</computeroutput> к <filename>file1</filename>. Последние три бита доступа <computeroutput>r--</computeroutput>, управляют доступом для всех пользователей к <filename>file1</filename>, что включает всех пользователей и процессы."
+
+#. Tag: para
+#, no-c-format
+msgid "Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as f
rom authorized users who have unwittingly executed malicious applications.<footnote> <para> \"Meeting Critical Security Objectives with Security-Enhanced Linux\", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the <ulink url=\"http://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml\">original paper</ulink> for details and the document as it was first released. Any edits and changes were done by Murray McAllister. </para> </footnote>"
+msgstr "Security-Enhanced Linux (SELinux) добавляет Mandatory Access Control (MAC) в ядро Linux, и включено в Fedora по-умолчанию. Основное назначение архитектуры MAC - это возможность принудительного назначения административно-установленной политики безопасности над всеми процессами и файлами системы, при этом решение основывается на метках, содержащих множество значимой информации по безопасности. Когда механизм SELinux реализован, он переводит систему в состоянии достаточной защищенности и предоставляет критичную поддержку приложениям, защищая приложения от взлома ил
и обхода безопасности. MAC предоставляет строгое разделение приложений и позволяет безопасное исполнение не доверенных приложений. Обладая способностью ограничивать привелегии, связанные с исполнением процессов, MAC ограничивает рамки потенциальной угрозы, таким образом ограничивая взлом уязвимостей в приложениях и системных службах. MAC включает защиту информации от пользователей корректно авторизованных в системе с ограниченными правами также как и от авторизованных пользователей, которые неосознанно исполняют вредоносный код
. <footnote> <para> \"Meeting Critical Security Objectives with Security-Enhanced Linux\" , Peter Loscocco и Stephen Smalley. Данный документ изначально предназначался для Агенства Национальной Безопасности и следовательно находится в публичном владении. В соответствии с <ulink url=\"http://www.nsa.gov/research/_files/selinux/papers/ottawa01/index.shtml\">original paper</ulink> деталями и документом, на основании которых он был выпущен первоначально. Все изменения и редактирования выполнены Murray McAllister. </para> </footnote>"
+
+#. Tag: para
+#, no-c-format
+msgid "The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux <emphasis>context</emphasis>, and is viewed using the <command>ls -Z</command> command:"
+msgstr "Далее следует пример меток содержащих значимую информацию о безопасности, которая используется для процессов, пользователей Linux и файлов в операционных системах Linux, запущенных с поддержкой SELinux. Эта информация называется SELinux <emphasis>context</emphasis> и просматривается с помощью команды <command>ls -Z</command>:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, SELinux provides a user (<computeroutput>unconfined_u</computeroutput>), a role (<computeroutput>object_r</computeroutput>), a type (<computeroutput>user_home_t</computeroutput>), and a level (<computeroutput>s0</computeroutput>). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. It is important to remember that SELinux policy rules are checked <emphasis>after</emphasis> DAC rules. SELinux policy rules are not used if DAC rules deny access first."
+msgstr "В этом примере, SELinux предоставляет пользователю (<computeroutput>unconfined_u</computeroutput>), роль (<computeroutput>object_r</computeroutput>), тип (<computeroutput>user_home_t</computeroutput>), и уровень (<computeroutput>s0</computeroutput>). Эта информация используется для принятия решения о предоставлении доступа. Используя DAC, доступ контролируется на основе ID пользователя и группы. Важно помнить, что правила политики SELinux проверяются <emphasis>после</emphasis> правил DAC. Правила политики SELinux не используются, если правила DAC блокируют доступ."
+
+#. Tag: title
+#, no-c-format
+msgid "Linux and SELinux Users"
+msgstr "Linux и пользователи SELinux"
+
+#. Tag: para
+#, no-c-format
+msgid "On Linux operating systems that run SELinux, there are Linux users as well as SELinux users. SELinux users are part of SELinux policy. Linux users are mapped to SELinux users. To avoid confusion, this guide uses \"Linux user\" and \"SELinux user\" to differentiate between the two."
+msgstr "В операционных системах Linux с запущенным SELinux, существуют пользователи Linux и пользователи SELinux. Пользователи SELinux - это часть политики SELinux. Пользователи Linux сопоставляются (маппируются) с пользователями SELinux. Для того, чтобы избежать путаницы, в данном руководстве используются два термина \"пользователь Linux\" и \"пользователь SELinux\" для различия двух разных понятий."
+
+#. Tag: title
+#, no-c-format
+msgid "Benefits of running SELinux"
+msgstr "Преимущества использования SELinux"
+
+#. Tag: para
+#, no-c-format
+msgid "All processes and files are labeled with a type. A type defines a domain for processes, and a type for files. Processes are separated from each other by running in their own domains, and SELinux policy rules define how processes interact with files, as well as how processes interact with each other. Access is only allowed if an SELinux policy rule exists that specifically allows it."
+msgstr "Все процессы и файлы маркируются определённым типом. Тип определяет домен для процесса и тип для файлов. Процессы отделяются один от другого запуском в различных доменах и правила политики SELinux определяют как процесс взаимодействует с файлами, так же как и процессы взаимодействуют друг с другом. Доступ предоставляется только в том случае, если существует правило политики SELinux, разрешающее конкретное действие."
+
+#. Tag: para
+#, no-c-format
+msgid "Fine-grained access control. Stepping beyond traditional <trademark class=\"registered\">UNIX</trademark> permissions that are controlled at user discretion and based on Linux user and group IDs, SELinux access decisions are based on all available information, such as an SELinux user, role, type, and, optionally, a level."
+msgstr "Тонко-настраиваемый контроль доступа. Выходя за рамки традиционных разрешений <trademark class=\"registered\">UNIX</trademark> которые контролируются на уровне разделения пользователей и основываются на ID пользователей и групп Linux; решения доступа SELinux принимаются на основе всей доступной информации, такой как, пользователи SELinux, роли, тип и уровень (опционально)."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion."
+msgstr "Политика SELinux назначается административно, вводится в действие на уровне всей системы и не основывается на разделении пользователей."
+
+#. Tag: para
+#, no-c-format
+msgid "Reduced vulnerability to privilege escalation attacks. One example: since processes run in domains, and are therefore separated from each other, and because SELinux policy rules define how processes access files and other processes, if a process is compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to. For example, if the Apache HTTP Server is compromised, an attacker can not use that process to read files in user home directories, unless a specific SELinux policy rule was added or configured to allow such access."
+msgstr "Уменьшение уязвимостей свзянных с атаками по повышению привелегий. Пример. Так как процессы запускаются в доменах и, таким образом, отделены друг от друга, и так как правила политики SELinux определяют, как процессы получают доступ к файлам и другим процессами, то если процесс скомпрометирован, атакующий имеет доступ только к штатным функциям данного процесса и к файлам, доступ к которым есть у данного процесса. К примеру, если Apache HTTP Server скомпрометирован, атакующий не имеет возможности использовать данный процесс, чтобы прочитать фа
йлы в домашних каталогах пользователей, до тех пор, пока специальное правило политики SELinux не будет сконфигурировано для предоставления такого доступа."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux can be used to enforce data confidentiality and integrity, as well as protecting processes from untrusted inputs."
+msgstr "SELinux может быть использован для усиления конфиденциальности и целостности данных, а также для защиты процессов от атак."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux is not:"
+msgstr "SELinux не является:"
+
+#. Tag: para
+#, no-c-format
+msgid "antivirus software."
+msgstr "антивирусным программным обеспечением."
+
+#. Tag: para
+#, no-c-format
+msgid "a replacement for passwords, firewalls, or other security systems."
+msgstr "заменой паролям, межсетевым экранам или другим системам безопасности."
+
+#. Tag: para
+#, no-c-format
+msgid "an all-in-one security solution."
+msgstr "решением безопасности \"всё в одном\"."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux is designed to enhance existing security solutions, not replace them. Even when running SELinux, continue to follow good security practices, such as keeping software up-to-date, using hard-to-guess passwords, firewalls, and so on."
+msgstr "SELinux разработан, для усовершенствования существующих решений по безопасности. Даже с запущенным SELinux, необходимо использование практик по безопасности, таких как обновление программного обеспечения последними обновлениями, использование сложных паролей, межсетевых экранов и прочего."
+
+#. Tag: title
+#, no-c-format
+msgid "Examples"
+msgstr "Примеры"
+
+#. Tag: para
+#, no-c-format
+msgid "The following examples demonstrate how SELinux increases security:"
+msgstr "В следующих примерах демонстрируется как SELinux повышает безопасность:"
+
+#. Tag: para
+#, no-c-format
+msgid "The default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied."
+msgstr "Действие для SELinux по-умолчанию - это блокирование доступа. Если не существует правила политики SELinux, которое предоставляет доступ, к примеру для открытия файла процессом, то доступ блокируется."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux can confine Linux users. A number of confined SELinux users exist in SELinux policy. Linux users can be mapped to confined SELinux users to take advantage of the security rules and mechanisms applied to them. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as <command>sudo</command> and <command>su</command>, as well as preventing them from executing files and applications in their home directory - if configured, this prevents users from executing malicious files from their home directories."
+msgstr "SELinux может ограничивать пользователей Linux. Определенное число ограниченных (confined) пользователей SELinux существует в политике SELinux. Пользователи Linux могут быть сопоставлены с ограниченными пользователями SELinux для получения преимуществ использования ролей безопасности и применяемых к ним механизмов. Например, сопоставление пользователя Linux с пользователем SELinux user_u, приводит к тому, что пользователь Linux не может выполнить (до тех пор пока не будет сконфигурировано обратное) приложение с использованием SUID бита (setuid), такие как <command>sudo</co
mmand> и <command>su</command>, также предотвращает возможность записи ими в их домашние директории - и если сконфигурировано, то предотвращает запуск пользователями вредоносного программного обеспечения из их домашних директорий."
+
+#. Tag: para
+#, no-c-format
+msgid "Process separation is used. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as preventing processes from accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server as an attack vector to read and write to files used by other processes, such as databases used by <trademark class=\"registered\">MySQL</trademark>."
+msgstr "Использование разделения процессов. Процессы запускаются каждый в своём домене, предотвращая, доступ к файлам используемые другими процессами, а также блокируя процессам доступ к другим процессам. Например, когда SELinux включен, если не сконфигурировано обратное, то атакующий не может скомпрометироть Samba сервер, а затем использовать Samba сервер как вектор атаки для чтения и записи файлов, используемых другими процессами, такие как базы данных <trademark class=\"registered\">MySQL</trademark>."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux helps limit the damage made by configuration mistakes. <ulink url=\"http://en.wikipedia.org/wiki/Domain_Name_System\">Domain Name System (DNS)</ulink> servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the <ulink url=\"https://www.isc.org/software/bind\">Berkeley Internet Name Domain (BIND)</ulink> as a DNS server in Fedora, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files <footnote> <para> Text files that include information, such as hostname to IP address mappings, that are used by DNS servers. </para> </footnote> from being updated via zone transfers, by the BIND <systemitem class=\"daemon\">named</systemitem> daemon itself, and by other processes."
+msgstr "SELinux помогает ограничить опасность создаваемую ошибку конфигурирования. <ulink url=\"http://en.wikipedia.org/wiki/Domain_Name_System\">Domain Name System (DNS)</ulink> серверы часто реплицируют информацию друг другу (данных мезанизм известен как передача зон). Атакующие могут использовать передачу зон для передачи DNS серверам ложной информации. Когда <ulink url=\"https://www.isc.org/software/bind\">Berkeley Internet Name Domain (BIND)</ulink> запущен в качестве DNS сервера в Fedora, даже если администратор забудет выставить ограничение, каким серверам разрешено выполнять передачу зон, политика SELinux по умолчанию, пре
дотвратит файлы зон <footnote> <para> Текстовые файлы зон, которые содержат информацию о сопоставлениях имени хоста и IP адреса, используемых DNS серверами</para> </footnote> от обновления в процессе выполнения передачи зон демоном BIND <systemitem class=\"daemon\">named</systemitem> или другим процессом."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the <ulink url=\"http://www.redhatmagazine.com/\"><trademark class=\"registered\">Red Hat</trademark> Magazine</ulink> article, <ulink url=\"http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/\">Risk report: Three years of Red Hat Enterprise Linux 4</ulink><footnote> <para> Cox, Mark. \"Risk report: Three years of Red Hat Enterprise Linux 4\". Published 26 February 2008. Accessed 27 August 2009: <ulink url=\"http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/\" />. </para> </footnote>, for exploits that were restricted due to the default SELinux targeted policy in <trademark class=\"registered\">Red Hat</trademark> Enterprise <trademark class=\"registered\">Linux</trademark> 4."
+msgstr "Согласно статье <ulink url=\"http://www.redhatmagazine.com/\"><trademark class=\"registered\">Red Hat</trademark> Magazine</ulink>, <ulink url=\"http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/\">Risk report: Three years of Red Hat Enterprise Linux 4</ulink><footnote> <para> Cox, Mark. \"Risk report: Three years of Red Hat Enterprise Linux 4\". Published 26 February 2008. Accessed 27 August 2009: <ulink url=\"http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/\" />. </para> </footnote>, об эксплоитах, которые ограничиваются целевой политикой targeted SELinux в <trademark class=\"registered\">Red Hat</trademark> Enterprise <trademark class=\"registered\">Linux</trademark> 4."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the <ulink url=\"http://www.linuxworld.com\">LinuxWorld.com</ulink> article, <ulink url=\"http://www.linuxworld.com/news/2008/022408-selinux.html?page=1\">A seatbelt for server software: SELinux blocks real-world exploits</ulink><footnote> <para> Marti, Don. \"A seatbelt for server software: SELinux blocks real-world exploits\". Published 24 February 2008. Accessed 27 August 2009: <ulink url=\"http://www.linuxworld.com/news/2008/022408-selinux.html?page=1\" />. </para> </footnote>, for background information about SELinux, and information about various exploits that SELinux has prevented."
+msgstr "Согласно статье <ulink url=\"http://www.linuxworld.com\">LinuxWorld.com</ulink> article, <ulink url=\"http://www.linuxworld.com/news/2008/022408-selinux.html?page=1\">A seatbelt for server software: SELinux blocks real-world exploits</ulink><footnote> <para> Marti, Don. \"A seatbelt for server software: SELinux blocks real-world exploits\". Published 24 February 2008. Accessed 27 August 2009: <ulink url=\"http://www.linuxworld.com/news/2008/022408-selinux.html?page=1\" />. </para> </footnote>, о внутренней работе SELinux и о различных эксплоитах ограниченных с помощью SELinux."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to James Morris's <ulink url=\"http://james-morris.livejournal.com/25421.html\">SELinux mitigates remote root vulnerability in OpenPegasus</ulink> blog post for information about an exploit in <ulink url=\"http://www.openpegasus.org/\">OpenPegasus</ulink> that was mitigated by SELinux as shipped with Red Hat Enterprise Linux 4 and 5."
+msgstr "Согласно статье в блоге Джейса Морриса (James Morris) <ulink url=\"http://james-morris.livejournal.com/25421.html\">SELinux mitigates remote root vulnerability in OpenPegasus</ulink> об эксплоите в <ulink url=\"http://www.openpegasus.org/\">OpenPegasus</ulink> ограниченном с помощью SELinux поставляемым с Red Hat Enterprise Linux 4 и 5."
+
+#. Tag: para
+#, no-c-format
+msgid "The <ulink url=\"http://www.tresys.com/\">Tresys Technology</ulink> website has an <ulink url=\"http://www.tresys.com/innovation.php\">SELinux Mitigation News</ulink> section (on the right-hand side), that lists recent exploits that have been mitigated or prevented by SELinux."
+msgstr "Вебсайт <ulink url=\"http://www.tresys.com/\">Tresys Technology</ulink> опубликовал новость в разделе <ulink url=\"http://www.tresys.com/innovation.php\">SELinux Mitigation News</ulink> с правой стороны, в котором приведен список эксплоитов, ограниченных или полностью заблокированных с помощью SELinux."
+
+#. Tag: title
+#, no-c-format
+msgid "SELinux Architecture"
+msgstr "Архитектура SELinux"
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux is a Linux security module that is built into the Linux kernel. SELinux is driven by loadable policy rules. When security-relevant access is taking place, such as when a process attempts to open a file, the operation is intercepted in the kernel by SELinux. If an SELinux policy rule allows the operation, it continues, otherwise, the operation is blocked and the process receives an error."
+msgstr "SELinux - это модуль безопасности, который встроен в ядро Linux. SELinux управляется загружаемыми политиками. Когда происходит событие, имеющее значение по безопасности, такое как, открытие процессом файла, то это действие перехватывается SELinux на уровне ядра. Если правила политики SELinux позволяют выполнение данной операции, то выполнение продолжается, иначе, операция блокируется и процесс получает сообщение об ошибке."
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Caching decisions decreases how often SELinux policy rules need to be checked, which increases performance. Remember that SELinux policy rules have no effect if DAC rules deny access first."
+msgstr "Решения SELinux, такие как разрешение или блокирование доступа кэшируются. Этот кэш известен как Access Vector Cache (AVC). Кэшированные решения уменьшают частоту обращения к правила поилитики SELinux, что увеличивает производительность. Необходимо помнить, что правила политики SELinux не используются, если правила DAC блокируют доступ."
+
+#. Tag: title
+#, no-c-format
+msgid "SELinux on Other Operating Systems"
+msgstr "SELinux в разных операционных системах"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the following for information about running SELinux on operating systems:"
+msgstr "Сслыки к ресурсам с дополнительной информацией о запуске SELinux в разных операционных системах:"
+
+#. Tag: para
+#, no-c-format
+msgid "Hardened Gentoo: <ulink url=\"http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml\" />."
+msgstr "Hardened Gentoo: <ulink url=\"http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml\" />."
+
+#. Tag: para
+#, no-c-format
+msgid "Debian: <ulink url=\"http://wiki.debian.org/SELinux\" />."
+msgstr "Debian: <ulink url=\"http://wiki.debian.org/SELinux\" />."
+
+#. Tag: para
+#, no-c-format
+msgid "Ubuntu: <ulink url=\"https://wiki.ubuntu.com/SELinux\" /> and <ulink url=\"https://help.ubuntu.com/community/SELinux\" />."
+msgstr "Ubuntu: <ulink url=\"https://wiki.ubuntu.com/SELinux\" /> и <ulink url=\"https://help.ubuntu.com/community/SELinux\" />."
+
+#. Tag: para
+#, no-c-format
+msgid "Red Hat Enterprise Linux: <ulink url=\"http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html\">Red Hat Enterprise Linux Deployment Guide</ulink> and <ulink url=\"http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/\">Red Hat Enterprise Linux 4 SELinux Guide</ulink>."
+msgstr "Red Hat Enterprise Linux: <ulink url=\"http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html\">Red Hat Enterprise Linux Deployment Guide</ulink> и <ulink url=\"http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/\">Red Hat Enterprise Linux 4 SELinux Guide</ulink>."
+
+#. Tag: para
+#, no-c-format
+msgid "Fedora: <ulink url=\"http://fedoraproject.org/wiki/SELinux\" /> and the <ulink url=\"http://docs.fedoraproject.org/selinux-faq-fc5/\">Fedora Core 5 SELinux FAQ</ulink>."
+msgstr "Fedora: <ulink url=\"http://fedoraproject.org/wiki/SELinux\" /> и <ulink url=\"http://docs.fedoraproject.org/selinux-faq-fc5/\">Fedora Core 5 SELinux FAQ</ulink>."
+
More information about the docs-commits
mailing list