r475 - community/trunk/SELinux_User_Guide/ru-RU
transif at fedoraproject.org
transif at fedoraproject.org
Tue Aug 24 05:00:31 UTC 2010
Author: transif
Date: 2010-08-24 05:00:31 +0000 (Tue, 24 Aug 2010)
New Revision: 475
Modified:
community/trunk/SELinux_User_Guide/ru-RU/Targeted_Policy.po
Log:
l10n: Updates to Russian (ru) translation
Transmitted-via: Transifex (translate.fedoraproject.org)
Modified: community/trunk/SELinux_User_Guide/ru-RU/Targeted_Policy.po
===================================================================
--- community/trunk/SELinux_User_Guide/ru-RU/Targeted_Policy.po 2010-08-12 11:32:24 UTC (rev 474)
+++ community/trunk/SELinux_User_Guide/ru-RU/Targeted_Policy.po 2010-08-24 05:00:31 UTC (rev 475)
@@ -1,667 +1,944 @@
-# SOME DESCRIPTIVE TITLE.
-# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
-#
-#, fuzzy
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
-"POT-Creation-Date: 2010-04-15T00:19:31\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
-"Language-Team: LANGUAGE <kde-i18n-doc at kde.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Type: application/x-xml2pot; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#. Tag: title
-#, no-c-format
-msgid "Targeted Policy"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Targeted policy is the default SELinux policy used in Fedora. When using "
-"targeted policy, processes that are targeted run in a confined domain, and "
-"processes that are not targeted run in an unconfined domain. For example, by "
-"default, logged in users run in the <computeroutput>unconfined_t</"
-"computeroutput> domain, and system processes started by init run in the "
-"<computeroutput>initrc_t</computeroutput> domain - both of these domains are "
-"unconfined."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Unconfined domains (as well as confined domains) are subject to executable "
-"and writeable memory checks. By default, subjects running in an unconfined "
-"domain can not allocate writeable memory and execute it. This reduces "
-"vulnerability to <ulink url=\"http://en.wikipedia.org/wiki/Buffer_overflow"
-"\">buffer overflow attacks</ulink>. These memory checks are disabled by "
-"setting Booleans, which allow the SELinux policy to be modified at runtime. "
-"Boolean configuration is discussed later."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Confined Processes"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Almost every service that listens on a network is confined in Fedora. Also, "
-"most processes that run as the Linux root user and perform tasks for users, "
-"such as the <application>passwd</application> application, are confined. "
-"When a process is confined, it runs in its own domain, such as the "
-"<systemitem class=\"daemon\">httpd</systemitem> process running in the "
-"<computeroutput>httpd_t</computeroutput> domain. If a confined process is "
-"compromised by an attacker, depending on SELinux policy configuration, an "
-"attacker's access to resources and the possible damage they can do is "
-"limited."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following example demonstrates how SELinux prevents the Apache HTTP "
-"Server (<systemitem class=\"daemon\">httpd</systemitem>) from reading files "
-"that are not correctly labeled, such as files intended for use by Samba. "
-"This is an example, and should not be used in production. It assumes that "
-"the <package>httpd</package>, <package>wget</package>, "
-"<package>setroubleshoot-server</package>, <package>dbus</package> and "
-"<package>audit</package> packages are installed, that the SELinux targeted "
-"policy is used, and that SELinux is running in enforcing mode:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>sestatus</command> command to confirm that SELinux is "
-"enabled, is running in enforcing mode, and that targeted policy is being "
-"used:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<computeroutput>SELinux status: enabled</computeroutput> is returned when "
-"SELinux is enabled. <computeroutput>Current mode: enforcing</computeroutput> "
-"is returned when SELinux is running in enforcing mode. "
-"<computeroutput>Policy from config file: targeted</computeroutput> is "
-"returned when the SELinux targeted policy is used."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>touch /var/www/html/testfile</"
-"command> command to create a file."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /var/www/html/testfile</command> command to view the "
-"SELinux context:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, Linux users run unconfined in Fedora, which is why the "
-"<filename>testfile</filename> file is labeled with the SELinux "
-"<computeroutput>unconfined_u</computeroutput> user. RBAC is used for "
-"processes, not files. Roles do not have a meaning for files - the "
-"<computeroutput>object_r</computeroutput> role is a generic role used for "
-"files (on persistent storage and network file systems). Under the <filename>/"
-"proc/</filename> directory, files related to processes may use the "
-"<computeroutput>system_r</computeroutput> role.<footnote> <para> When using "
-"other policies, such as MLS, other roles may be used, for example, "
-"<computeroutput>secadm_r</computeroutput>. </para> </footnote> The "
-"<computeroutput>httpd_sys_content_t</computeroutput> type allows the "
-"<systemitem class=\"daemon\">httpd</systemitem> process to access this file."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>service httpd start</command> "
-"command to start the <systemitem class=\"daemon\">httpd</systemitem> "
-"process. The output is as follows if <systemitem class=\"daemon\">httpd</"
-"systemitem> starts successfully:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Change into a directory where your Linux user has write access to, and run "
-"the <command>wget http://localhost/testfile</command> command. Unless there "
-"are changes to the default configuration, this command succeeds:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <command>chcon</command> command relabels files; however, such label "
-"changes do not survive when the file system is relabeled. For permanent "
-"changes that survive a file system relabel, use the <command>semanage</"
-"command> command, which is discussed later. As the Linux root user, run the "
-"following command to change the type to a type used by Samba:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>chcon -t samba_share_t /var/www/html/testfile</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /var/www/html/testfile</command> command to view the "
-"changes:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Note: the current DAC permissions allow the <systemitem class=\"daemon"
-"\">httpd</systemitem> process access to <filename>testfile</filename>. "
-"Change into a directory where your Linux user has write access to, and run "
-"the <command>wget http://localhost/testfile</command> command. Unless there "
-"are changes to the default configuration, this command fails:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>rm -i /var/www/html/testfile</"
-"command> command to remove <filename>testfile</filename>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you do not require <systemitem class=\"daemon\">httpd</systemitem> to be "
-"running, as the Linux root user, run the <command>service httpd stop</"
-"command> command to stop <systemitem class=\"daemon\">httpd</systemitem>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This example demonstrates the additional security added by SELinux. Although "
-"DAC rules allowed the <systemitem class=\"daemon\">httpd</systemitem> "
-"process access to <filename>testfile</filename> in step 7, because the file "
-"was labeled with a type that the <systemitem class=\"daemon\">httpd</"
-"systemitem> process does not have access to, SELinux denied access. After "
-"step 7, an error similar to the following is logged to <filename>/var/log/"
-"messages</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Previous log files may use a <filename>/var/log/messages."
-"<replaceable>YYYYMMDD</replaceable></filename> format. When running "
-"<application>syslog-ng</application>, previous log files may use a "
-"<filename>/var/log/messages.<replaceable>X</replaceable></filename> format. "
-"If the <systemitem class=\"daemon\">setroubleshootd</systemitem> and "
-"<systemitem class=\"daemon\">auditd</systemitem> processes are running, "
-"errors similar to the following are logged to <filename>/var/log/audit/audit."
-"log</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Also, an error similar to the following is logged to <filename>/var/log/"
-"httpd/error_log</filename>:"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Unconfined Processes"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Unconfined processes run in unconfined domains, for example, init programs "
-"run in the unconfined <computeroutput>initrc_t</computeroutput> domain, "
-"unconfined kernel processes run in the <computeroutput>kernel_t</"
-"computeroutput> domain, and unconfined Linux users run in the "
-"<computeroutput>unconfined_t</computeroutput> domain. For unconfined "
-"processes, SELinux policy rules are applied, but policy rules exist that "
-"allow processes running in unconfined domains almost all access. Processes "
-"running in unconfined domains fall back to using DAC rules exclusively. If "
-"an unconfined process is compromised, SELinux does not prevent an attacker "
-"from gaining access to system resources and data, but of course, DAC rules "
-"are still used. SELinux is a security enhancement on top of DAC rules - it "
-"does not replace them."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following example demonstrates how the Apache HTTP Server (<systemitem "
-"class=\"daemon\">httpd</systemitem>) can access data intended for use by "
-"Samba, when running unconfined. Note: in Fedora, the <systemitem class="
-"\"daemon\">httpd</systemitem> process runs in the confined "
-"<computeroutput>httpd_t</computeroutput> domain by default. This is an "
-"example, and should not be used in production. It assumes that the "
-"<package>httpd</package>, <package>wget</package>, <package>setroubleshoot-"
-"server</package>, <package>dbus</package> and <package>audit</package> "
-"packages are installed, that the SELinux targeted policy is used, and that "
-"SELinux is running in enforcing mode:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>touch /var/www/html/test2file</"
-"command> command to create a file."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /var/www/html/test2file</command> command to view the "
-"SELinux context:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, Linux users run unconfined in Fedora, which is why the "
-"<filename>test2file</filename> file is labeled with the SELinux "
-"<computeroutput>unconfined_u</computeroutput> user. RBAC is used for "
-"processes, not files. Roles do not have a meaning for files - the "
-"<computeroutput>object_r</computeroutput> role is a generic role used for "
-"files (on persistent storage and network file systems). Under the <filename>/"
-"proc/</filename> directory, files related to processes may use the "
-"<computeroutput>system_r</computeroutput> role.<footnote> <para> When using "
-"other policies, such as MLS, other roles may also be used, for example, "
-"<computeroutput>secadm_r</computeroutput>. </para> </footnote> The "
-"<computeroutput>httpd_sys_content_t</computeroutput> type allows the "
-"<systemitem class=\"daemon\">httpd</systemitem> process to access this file."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>chcon -t samba_share_t /var/www/html/test2file</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /var/www/html/test2file</command> command to view the "
-"changes:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>service httpd status</command> command to confirm that the "
-"<systemitem class=\"daemon\">httpd</systemitem> process is not running:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If the output differs, run the <command>service httpd stop</command> command "
-"as the Linux root user to stop the <systemitem class=\"daemon\">httpd</"
-"systemitem> process:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To make the <systemitem class=\"daemon\">httpd</systemitem> process run "
-"unconfined, run the following command as the Linux root user to change the "
-"type of <filename>/usr/sbin/httpd</filename>, to a type that does not "
-"transition to a confined domain:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>chcon -t unconfined_exec_t /usr/sbin/httpd</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /usr/sbin/httpd</command> command to confirm that "
-"<filename>/usr/sbin/httpd</filename> is labeled with the "
-"<computeroutput>unconfined_exec_t</computeroutput> type:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ps -eZ | grep httpd</command> command to view the "
-"<systemitem class=\"daemon\">httpd</systemitem> running in the "
-"<computeroutput>unconfined_t</computeroutput> domain:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Change into a directory where your Linux user has write access to, and run "
-"the <command>wget http://localhost/test2file</command> command. Unless there "
-"are changes to the default configuration, this command succeeds:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Although the <systemitem class=\"daemon\">httpd</systemitem> process does "
-"not have access to files labeled with the <computeroutput>samba_share_t</"
-"computeroutput> type, <systemitem class=\"daemon\">httpd</systemitem> is "
-"running in the unconfined <computeroutput>unconfined_t</computeroutput> "
-"domain, and falls back to using DAC rules, and as such, the <command>wget</"
-"command> command succeeds. Had <systemitem class=\"daemon\">httpd</"
-"systemitem> been running in the confined <computeroutput>httpd_t</"
-"computeroutput> domain, the <command>wget</command> command would have "
-"failed."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <command>restorecon</command> command restores the default SELinux "
-"context for files. As the Linux root user, run the <command>restorecon -v /"
-"usr/sbin/httpd</command> command to restore the default SELinux context for "
-"<filename>/usr/sbin/httpd</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>ls -Z /usr/sbin/httpd</command> command to confirm that "
-"<filename>/usr/sbin/httpd</filename> is labeled with the "
-"<computeroutput>httpd_exec_t</computeroutput> type:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>/sbin/service httpd restart</"
-"command> command to restart <systemitem class=\"daemon\">httpd</systemitem>. "
-"After restarting, run the <command>ps -eZ | grep httpd</command> to confirm "
-"that <systemitem class=\"daemon\">httpd</systemitem> is running in the "
-"confined <computeroutput>httpd_t</computeroutput> domain:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>rm -i /var/www/html/test2file</"
-"command> command to remove <filename>test2file</filename>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The examples in these sections demonstrate how data can be protected from a "
-"compromised confined-process (protected by SELinux), as well as how data is "
-"more accessible to an attacker from a compromised unconfined-process (not "
-"protected by SELinux)."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Confined and Unconfined Users"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Each Linux user is mapped to an SELinux user via SELinux policy. This allows "
-"Linux users to inherit the restrictions on SELinux users. This Linux user "
-"mapping is seen by running the <command>semanage login -l</command> command "
-"as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In Fedora &PRODVER;, Linux users are mapped to the SELinux "
-"<computeroutput>__default__</computeroutput> login by default (which is "
-"mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user). "
-"The following defines the default-mapping:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following example demonstrates adding a new Linux user, and that Linux "
-"user being mapped to the SELinux <computeroutput>unconfined_u</"
-"computeroutput> user. It assumes that the Linux root user is running "
-"unconfined, as it does by default in Fedora &PRODVER;:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>/usr/sbin/useradd newuser</command> "
-"command to create a new Linux user named newuser."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>passwd newuser</command> command to "
-"assign a password to the Linux newuser user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Log out of your current session, and log in as the Linux newuser user. When "
-"you log in, pam_selinux maps the Linux user to an SELinux user (in this "
-"case, unconfined_u), and sets up the resulting SELinux context. The Linux "
-"user's shell is then launched with this context. Run the <command>id -Z</"
-"command> command to view the context of a Linux user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Log out of the Linux newuser's session, and log in with your account. If you "
-"do not want the Linux newuser user, run the <command>/usr/sbin/userdel -r "
-"newuser</command> command as the Linux root user to remove it, along with "
-"the Linux newuser's home directory."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Confined and unconfined Linux users are subject to executable and writeable "
-"memory checks, and are also restricted by MCS (and MLS, if the MLS policy is "
-"used). If unconfined Linux users execute an application that SELinux policy "
-"defines can transition from the <computeroutput>unconfined_t</"
-"computeroutput> domain to its own confined domain, unconfined Linux users "
-"are still subject to the restrictions of that confined domain. The security "
-"benefit of this is that, even though a Linux user is running unconfined, the "
-"application remains confined, and therefore, the exploitation of a flaw in "
-"the application can be limited by policy. Note: this does not protect the "
-"system from the user. Instead, the user and the system are being protected "
-"from possible damage caused by a flaw in the application."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following confined SELinux users are available in Fedora &PRODVER;:"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "SELinux User Capabilities"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "User"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "Domain"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "X Window System"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "su and sudo"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "Execute in home directory and /tmp/"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "Networking"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "guest_u"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "guest_t"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "no"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "optional"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "xguest_u"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "xguest_t"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "yes"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "only <application>Firefox</application>"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "user_u"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "user_t"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "staff_u"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "staff_t"
-msgstr ""
-
-#. Tag: entry
-#, no-c-format
-msgid "only <command>sudo</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Linux users in the <computeroutput>guest_t</computeroutput>, "
-"<computeroutput>xguest_t</computeroutput>, and <computeroutput>user_t</"
-"computeroutput> domains can only run set user ID (setuid) applications if "
-"SELinux policy permits it (such as <command>passwd</command>). They can not "
-"run the <command>su</command> and <command>/usr/bin/sudo</command> setuid "
-"applications, and therefore, can not use these applications to become the "
-"Linux root user."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Linux users in the <computeroutput>guest_t</computeroutput> domain have no "
-"network access, and can only log in via a terminal (including <systemitem "
-"class=\"daemon\">ssh</systemitem>; they can log in via <systemitem class="
-"\"daemon\">ssh</systemitem>, but can not use <systemitem class=\"daemon"
-"\">ssh</systemitem> to connect to another system)."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The only network access Linux users in the <computeroutput>xguest_t</"
-"computeroutput> domain have is <application>Firefox</application> connecting "
-"to web pages."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Linux users in the <computeroutput>xguest_t</computeroutput>, "
-"<computeroutput>user_t</computeroutput> and <computeroutput>staff_t</"
-"computeroutput> domains can log in via the X Window System and a terminal."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, Linux users in the <computeroutput>staff_t</computeroutput> "
-"domain do not have permissions to execute applications with <command>/usr/"
-"bin/sudo</command>. These permissions must be configured by an administrator."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, Linux users in the <computeroutput>guest_t</computeroutput> and "
-"<computeroutput>xguest_t</computeroutput> domains can not execute "
-"applications in their home directories or <filename>/tmp/</filename>, "
-"preventing them from executing applications (which inherit users' "
-"permissions) in directories they have write access to. This helps prevent "
-"flawed or malicious applications from modifying files users' own."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, Linux users in the <computeroutput>user_t</computeroutput> and "
-"<computeroutput>staff_t</computeroutput> domains can execute applications in "
-"their home directories and <filename>/tmp/</filename>. Refer to <xref "
-"linkend=\"sect-Security-Enhanced_Linux-Confining_Users-"
-"Booleans_for_Users_Executing_Applications\" /> for information about "
-"allowing and preventing users from executing applications in their home "
-"directories and <filename>/tmp/</filename>."
-msgstr ""
+# SOME DESCRIPTIVE TITLE.
+# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: SELinux User Guide\n"
+"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
+"POT-Creation-Date: 2010-04-15T00:19:31\n"
+"PO-Revision-Date: 2010-08-24 \n"
+"Last-Translator: Alexey Cicin <daydrim at gmail.com>\n"
+"Language-Team: trans-ru <trans-ru at lists.fedoraproject.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Russian\n"
+"X-Poedit-Country: RUSSIAN FEDERATION\n"
+"X-Poedit-SourceCharset: utf-8\n"
+
+#. Tag: title
+#, no-c-format
+msgid "Targeted Policy"
+msgstr "Целевая политика Targeted"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Targeted policy is the default SELinux policy used in Fedora. When using "
+"targeted policy, processes that are targeted run in a confined domain, and "
+"processes that are not targeted run in an unconfined domain. For example, by "
+"default, logged in users run in the <computeroutput>unconfined_t</"
+"computeroutput> domain, and system processes started by init run in the "
+"<computeroutput>initrc_t</computeroutput> domain - both of these domains are "
+"unconfined."
+msgstr ""
+"Целевая политика targeted - это политика, используемая в Fedora по "
+"умолчанию. Когда целевая политика targeted используется, процессы, которые "
+"являются целевыми, запускаются в ограниченном домене, остальные процессы "
+"запускаются в неограниченном домене. Например, по умолчанию пользователи, "
+"прошедшие авторизацию, работают в домене <computeroutput>unconfined_t</"
+"computeroutput> и системные процессы запущенные init-ом запускаются в домене "
+"<computeroutput>initrc_t</computeroutput> - оба домена неограниченные."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Unconfined domains (as well as confined domains) are subject to executable "
+"and writeable memory checks. By default, subjects running in an unconfined "
+"domain can not allocate writeable memory and execute it. This reduces "
+"vulnerability to <ulink url=\"http://en.wikipedia.org/wiki/Buffer_overflow"
+"\">buffer overflow attacks</ulink>. These memory checks are disabled by "
+"setting Booleans, which allow the SELinux policy to be modified at runtime. "
+"Boolean configuration is discussed later."
+msgstr ""
+"Неограниченные домены (так же, как и ограниченные) - это субъекты для "
+"операций выполнения и записи в память. По умолчанию, субъекты запущенные в "
+"неограниченном домене не могут выделить память для записи и выполнить "
+"операции. Это уменьшает степень угрозы атаки переполнения буфера <ulink url="
+"\"http://en.wikipedia.org/wiki/Buffer_overflow\">buffer overflow attacks</"
+"ulink>. Эти проверки памяти отключаются установкой Булевых переключателей, "
+"что позволяет изменять политику SELinux \"на ходу\". Настройка Булевых "
+"значений рассматривается позже."
+
+#. Tag: title
+#, no-c-format
+msgid "Confined Processes"
+msgstr "Ограниченные процессы"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Almost every service that listens on a network is confined in Fedora. Also, "
+"most processes that run as the Linux root user and perform tasks for users, "
+"such as the <application>passwd</application> application, are confined. "
+"When a process is confined, it runs in its own domain, such as the "
+"<systemitem class=\"daemon\">httpd</systemitem> process running in the "
+"<computeroutput>httpd_t</computeroutput> domain. If a confined process is "
+"compromised by an attacker, depending on SELinux policy configuration, an "
+"attacker's access to resources and the possible damage they can do is "
+"limited."
+msgstr ""
+"Почти каждая сетевая служба ограничена в Fedora. Также большинство "
+"процессов, которые запускаются в Linux с привелигиями пользователя root и "
+"выполняют задачи для пользователей, такие как приложение "
+"<application>passwd</application>, ограничены. Когда процесс ограничен, он "
+"запускается в своём собственном домене, например процесс <systemitem class="
+"\"daemon\">httpd</systemitem> запускается в домене <computeroutput>httpd_t</"
+"computeroutput>. Если ограниченный процесс скомпрометирован атакующим, в "
+"зависимости от конфигурации SELinux, доступ атакующего к ресурсам и вред, "
+"который он может нанести ограничен."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The following example demonstrates how SELinux prevents the Apache HTTP "
+"Server (<systemitem class=\"daemon\">httpd</systemitem>) from reading files "
+"that are not correctly labeled, such as files intended for use by Samba. "
+"This is an example, and should not be used in production. It assumes that "
+"the <package>httpd</package>, <package>wget</package>, "
+"<package>setroubleshoot-server</package>, <package>dbus</package> and "
+"<package>audit</package> packages are installed, that the SELinux targeted "
+"policy is used, and that SELinux is running in enforcing mode:"
+msgstr ""
+"В следующем примере демонстрируется как SELinux предотвращает Apache HTTP "
+"Server (<systemitem class=\"daemon\">httpd</systemitem>) от чтения файлов, "
+"которые не промаркированы корректно, такие как файлы используемые Samba. "
+"Данный пример не рекомендуется использовать в продуктивных средах. "
+"Подразумевается, что пакеты <package>httpd</package>, <package>wget</"
+"package>, <package>setroubleshoot-server</package>, <package>dbus</package> "
+"и <package>audit</package> установлены, и используется целевая политика "
+"SELinux targeted, SELinux запущен в принудительном enforcing режиме:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>sestatus</command> command to confirm that SELinux is "
+"enabled, is running in enforcing mode, and that targeted policy is being "
+"used:"
+msgstr ""
+"Для того, чтобы убедиться, что SELinux включен в принудительном режиме с "
+"целевой политикой, необходимо выполнить команду <command>sestatus</command>"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"<computeroutput>SELinux status: enabled</computeroutput> is returned when "
+"SELinux is enabled. <computeroutput>Current mode: enforcing</computeroutput> "
+"is returned when SELinux is running in enforcing mode. "
+"<computeroutput>Policy from config file: targeted</computeroutput> is "
+"returned when the SELinux targeted policy is used."
+msgstr ""
+"Значение <computeroutput>SELinux status: enabled</computeroutput> "
+"возвращается, когда SELinux включен. Значение <computeroutput>Current mode: "
+"enforcing</computeroutput> возвращается, когда SELinux запущен в "
+"принудительном режиме. Значение <computeroutput>Policy from config file: "
+"targeted</computeroutput> возвращается, если используется целевая политика "
+"SELinux targeted."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>touch /var/www/html/testfile</"
+"command> command to create a file."
+msgstr ""
+"От имени пользователя Linux root выполните команду <command>touch /var/www/"
+"html/testfile</command> для создания файла."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /var/www/html/testfile</command> command to view the "
+"SELinux context:"
+msgstr ""
+"Выполните команду <command>ls -Z /var/www/html/testfile</command> для "
+"просмотра контекста SELinux:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"By default, Linux users run unconfined in Fedora, which is why the "
+"<filename>testfile</filename> file is labeled with the SELinux "
+"<computeroutput>unconfined_u</computeroutput> user. RBAC is used for "
+"processes, not files. Roles do not have a meaning for files - the "
+"<computeroutput>object_r</computeroutput> role is a generic role used for "
+"files (on persistent storage and network file systems). Under the <filename>/"
+"proc/</filename> directory, files related to processes may use the "
+"<computeroutput>system_r</computeroutput> role.<footnote> <para> When using "
+"other policies, such as MLS, other roles may be used, for example, "
+"<computeroutput>secadm_r</computeroutput>. </para> </footnote> The "
+"<computeroutput>httpd_sys_content_t</computeroutput> type allows the "
+"<systemitem class=\"daemon\">httpd</systemitem> process to access this file."
+msgstr ""
+"По умолчанию в Fedora пользователи Linux работают неограниченными "
+"(unconfined), поэтому файл <filename>testfile</filename> помечен "
+"пользователем SELinux <computeroutput>unconfined_u</computeroutput>. RBAC "
+"используется только для процессов, для файлов не используется. Роли не имеют "
+"значения для файлов - роль <computeroutput>object_r</computeroutput> "
+"является универсальной для файлов (на постоянно подключенных хранилищах или "
+"сетевых файловых системах). В директории <filename>/proc/</filename> файлы, "
+"относящиеся к процессам, могу использовать роль <computeroutput>system_r</"
+"computeroutput>.<footnote> <para> При использовании других политик, таких "
+"как MLS, могут использоваться другие роли, например, "
+"<computeroutput>secadm_r</computeroutput>. </para> </footnote>. Тип "
+"<computeroutput>httpd_sys_content_t</computeroutput> разрешает процессу "
+"<systemitem class=\"daemon\">httpd</systemitem> получить доступ к этому "
+"файлу."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>service httpd start</command> "
+"command to start the <systemitem class=\"daemon\">httpd</systemitem> "
+"process. The output is as follows if <systemitem class=\"daemon\">httpd</"
+"systemitem> starts successfully:"
+msgstr ""
+"От имени пользователя Lnux root выполните команду <command>service httpd "
+"start</command> для запуска процесса <systemitem class=\"daemon\">httpd</"
+"systemitem> Вывод команды показан ниже, если <systemitem class=\"daemon"
+"\">httpd</systemitem> запустился успешно:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Change into a directory where your Linux user has write access to, and run "
+"the <command>wget http://localhost/testfile</command> command. Unless there "
+"are changes to the default configuration, this command succeeds:"
+msgstr ""
+"Перейдите в каталог, где у вашего Linux пользователя есть права на запись, и "
+"выполните команду <command>wget http://localhost/testfile</command>. Если в "
+"конфигурацию по умолчанию не внесены изменения, то это команда выполнится "
+"успешно:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The <command>chcon</command> command relabels files; however, such label "
+"changes do not survive when the file system is relabeled. For permanent "
+"changes that survive a file system relabel, use the <command>semanage</"
+"command> command, which is discussed later. As the Linux root user, run the "
+"following command to change the type to a type used by Samba:"
+msgstr ""
+"Команда <command>chcon</command> перемаркирует файлы; однако такие изменения "
+"не сохраняются, когда файловая система перемаркируется. Для внесения "
+"постоянных сохраняющихся изменений используется команда <command>semanage</"
+"command>, которая обсуждается позже. От имени пользователя root выполните "
+"следующую команду для изменения типа на тип, используемый Samba:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>chcon -t samba_share_t /var/www/html/testfile</command>"
+msgstr "<command>chcon -t samba_share_t /var/www/html/testfile</command>"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /var/www/html/testfile</command> command to view the "
+"changes:"
+msgstr ""
+"Выполните команду <command>ls -Z /var/www/html/testfile</command> для "
+"просмотра внесенных изменений:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Note: the current DAC permissions allow the <systemitem class=\"daemon"
+"\">httpd</systemitem> process access to <filename>testfile</filename>. "
+"Change into a directory where your Linux user has write access to, and run "
+"the <command>wget http://localhost/testfile</command> command. Unless there "
+"are changes to the default configuration, this command fails:"
+msgstr ""
+"Примечание: текущие разрешения DAC разрешают процессу <systemitem class="
+"\"daemon\">httpd</systemitem> получить доступ к файлу <filename>testfile</"
+"filename>. Перейдите в директорию, где у вашего пользователя есть права на "
+"запись и выполните команду <command>wget http://localhost/testfile</"
+"command>. Если в конфигурацию по умолчанию не внесены измнения, то команда "
+"завершится с ошибкой:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>rm -i /var/www/html/testfile</"
+"command> command to remove <filename>testfile</filename>."
+msgstr ""
+"От имени пользователя root, выполните команду <command>rm -i /var/www/html/"
+"testfile</command> для удаления <filename>testfile</filename>."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"If you do not require <systemitem class=\"daemon\">httpd</systemitem> to be "
+"running, as the Linux root user, run the <command>service httpd stop</"
+"command> command to stop <systemitem class=\"daemon\">httpd</systemitem>:"
+msgstr ""
+"Если нет необходимости в запущенном <systemitem class=\"daemon\">httpd</"
+"systemitem>, то от имени пользователя root выполните команду "
+"<command>service httpd stop</command> для остановки <systemitem class="
+"\"daemon\">httpd</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"This example demonstrates the additional security added by SELinux. Although "
+"DAC rules allowed the <systemitem class=\"daemon\">httpd</systemitem> "
+"process access to <filename>testfile</filename> in step 7, because the file "
+"was labeled with a type that the <systemitem class=\"daemon\">httpd</"
+"systemitem> process does not have access to, SELinux denied access. After "
+"step 7, an error similar to the following is logged to <filename>/var/log/"
+"messages</filename>:"
+msgstr ""
+"Дополнительные настрйоки безопасности добавленные в SELinux показаны на "
+"примере. Несмотря на то, что правила DAC разрешают процессу <systemitem "
+"class=\"daemon\">httpd</systemitem> доступ к <filename>testfile</filename> "
+"используемому в шаге 7, так как файл маркирован типо, к которому процесс "
+"<systemitem class=\"daemon\">httpd</systemitem> не имеет доступа, то SELinux "
+"отказывает в доступе. После шага 7 ошибка журналируется в <filename>/var/log/"
+"messages</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Previous log files may use a <filename>/var/log/messages."
+"<replaceable>YYYYMMDD</replaceable></filename> format. When running "
+"<application>syslog-ng</application>, previous log files may use a "
+"<filename>/var/log/messages.<replaceable>X</replaceable></filename> format. "
+"If the <systemitem class=\"daemon\">setroubleshootd</systemitem> and "
+"<systemitem class=\"daemon\">auditd</systemitem> processes are running, "
+"errors similar to the following are logged to <filename>/var/log/audit/audit."
+"log</filename>:"
+msgstr ""
+"Предыдущие журналы событий могут быть созданы в формате <filename>/var/log/"
+"messages.<replaceable>YYYYMMDD</replaceable></filename>. Если запущен "
+"<application>syslog-ng</application>, предыдущие лог файлы имеют формат "
+"<filename>/var/log/messages.<replaceable>X</replaceable></filename>. Если "
+"процессы <systemitem class=\"daemon\">setroubleshootd</systemitem> и "
+"<systemitem class=\"daemon\">auditd</systemitem> запущены, ошибки, "
+"показанные ниже пишутся в файл <filename>/var/log/audit/audit.log</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Also, an error similar to the following is logged to <filename>/var/log/"
+"httpd/error_log</filename>:"
+msgstr ""
+"Также ошибки, показанные ниже, пишутся в <filename>/var/log/httpd/error_log</"
+"filename>:"
+
+#. Tag: title
+#, no-c-format
+msgid "Unconfined Processes"
+msgstr "Неограниченные процессы"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Unconfined processes run in unconfined domains, for example, init programs "
+"run in the unconfined <computeroutput>initrc_t</computeroutput> domain, "
+"unconfined kernel processes run in the <computeroutput>kernel_t</"
+"computeroutput> domain, and unconfined Linux users run in the "
+"<computeroutput>unconfined_t</computeroutput> domain. For unconfined "
+"processes, SELinux policy rules are applied, but policy rules exist that "
+"allow processes running in unconfined domains almost all access. Processes "
+"running in unconfined domains fall back to using DAC rules exclusively. If "
+"an unconfined process is compromised, SELinux does not prevent an attacker "
+"from gaining access to system resources and data, but of course, DAC rules "
+"are still used. SELinux is a security enhancement on top of DAC rules - it "
+"does not replace them."
+msgstr ""
+"Неограниченные (unconfined) процессы выполняются в неограниченных "
+"(unconfined) доменах, программы запускаемые init выполняются в "
+"неограниченном unconfined <computeroutput>initrc_t</computeroutput> домене, "
+"неограниченные процессы ядра запускаются в домене <computeroutput>kernel_t</"
+"computeroutput>. Для неограниченных процессов правила политики SELinux также "
+"применяются, но правила политики существуют для разрешения практически всех "
+"доступов для процессов, запущенных в неограниченных доменах. Процессы "
+"запущенные в неограниченных доменах откатываются к использованию только "
+"правил DAC. Если неограниченный процесс скомпрометирован, SELinux не "
+"ограничивает атакующего от получения доступа к системным ресурсам и "
+"информации, но, конечно, правила DAC всё равно используются. SELinux это "
+"улучшение механизмов безопасности над дискретным доступом DAC - SELinux не "
+"заменяет правила дискретного доступа."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The following example demonstrates how the Apache HTTP Server (<systemitem "
+"class=\"daemon\">httpd</systemitem>) can access data intended for use by "
+"Samba, when running unconfined. Note: in Fedora, the <systemitem class="
+"\"daemon\">httpd</systemitem> process runs in the confined "
+"<computeroutput>httpd_t</computeroutput> domain by default. This is an "
+"example, and should not be used in production. It assumes that the "
+"<package>httpd</package>, <package>wget</package>, <package>setroubleshoot-"
+"server</package>, <package>dbus</package> and <package>audit</package> "
+"packages are installed, that the SELinux targeted policy is used, and that "
+"SELinux is running in enforcing mode:"
+msgstr ""
+"В следующем примере показывается как Apache HTTP Server (<systemitem class="
+"\"daemon\">httpd</systemitem>) может получить доступ к данным, "
+"предназначенны для использования Samba, если запущен в неограиченном режиме. "
+"Примечание: по умолчанию в Fedora процесс <systemitem class=\"daemon"
+"\">httpd</systemitem> запускается в ограниченном <computeroutput>httpd_t</"
+"computeroutput> домене. Это пример, и он не является инструкцией по "
+"использованию в продуктивных средах. Подразумевается, что пакеты "
+"<package>httpd</package>, <package>wget</package>, <package>setroubleshoot-"
+"server</package>, <package>dbus</package> и <package>audit</package> "
+"установлены, используется целевая политика SELinux targeted и SELinux "
+"запущен в принудительном режиме enforcing:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>touch /var/www/html/test2file</"
+"command> command to create a file."
+msgstr ""
+"От имени пользователя Linux root выполните команду <command>touch /var/www/"
+"html/test2file</command> для создания файла."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /var/www/html/test2file</command> command to view the "
+"SELinux context:"
+msgstr ""
+"Для просмотра контекста SELinux выполните команду <command>ls -Z /var/www/"
+"html/test2file</command>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"By default, Linux users run unconfined in Fedora, which is why the "
+"<filename>test2file</filename> file is labeled with the SELinux "
+"<computeroutput>unconfined_u</computeroutput> user. RBAC is used for "
+"processes, not files. Roles do not have a meaning for files - the "
+"<computeroutput>object_r</computeroutput> role is a generic role used for "
+"files (on persistent storage and network file systems). Under the <filename>/"
+"proc/</filename> directory, files related to processes may use the "
+"<computeroutput>system_r</computeroutput> role.<footnote> <para> When using "
+"other policies, such as MLS, other roles may also be used, for example, "
+"<computeroutput>secadm_r</computeroutput>. </para> </footnote> The "
+"<computeroutput>httpd_sys_content_t</computeroutput> type allows the "
+"<systemitem class=\"daemon\">httpd</systemitem> process to access this file."
+msgstr ""
+"По умолчанию, пользователи Linux работают неограниченно в Fedora, поэтому "
+"файл <filename>test2file</filename> помечен SELinux "
+"<computeroutput>unconfined_u</computeroutput>, RBAC используется только для "
+"процессов, не для файлов. Роли не имеют значения для файлов - роль "
+"<computeroutput>object_r</computeroutput> является универсальной для файлов "
+"(на постоянно подключенных хранилищах или сетевых файловых системах). В "
+"директории <filename>/proc/</filename> файлы, относящиеся к процессам, могут "
+"использовать роль <computeroutput>system_r</computeroutput>.<footnote> "
+"<para>. При использовании других политик, таких как MLS, могут "
+"использоваться другие роли, например, <computeroutput>secadm_r</"
+"computeroutput>. </para> </footnote>. Тип "
+"<computeroutput>httpd_sys_content_t</computeroutput> разрешает процессу "
+"<systemitem class=\"daemon\">httpd</systemitem> получить доступ к этому "
+"файлу."
+
+#. Tag: para
+#, no-c-format
+msgid "<command>chcon -t samba_share_t /var/www/html/test2file</command>"
+msgstr "<command>chcon -t samba_share_t /var/www/html/test2file</command>"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /var/www/html/test2file</command> command to view the "
+"changes:"
+msgstr ""
+"Выполните команду <command>ls -Z /var/www/html/test2file</command> для "
+"просмотра изменений:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>service httpd status</command> command to confirm that the "
+"<systemitem class=\"daemon\">httpd</systemitem> process is not running:"
+msgstr ""
+"Выполните команду <command>service httpd status</command> для того убеждения "
+"в том, что процесс <systemitem class=\"daemon\">httpd</systemitem> не "
+"запущен:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"If the output differs, run the <command>service httpd stop</command> command "
+"as the Linux root user to stop the <systemitem class=\"daemon\">httpd</"
+"systemitem> process:"
+msgstr ""
+"Если вывод команды отличается, выполните команду <command>service httpd "
+"stop</command> от имени пользователя root для остановки процесса <systemitem "
+"class=\"daemon\">httpd</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"To make the <systemitem class=\"daemon\">httpd</systemitem> process run "
+"unconfined, run the following command as the Linux root user to change the "
+"type of <filename>/usr/sbin/httpd</filename>, to a type that does not "
+"transition to a confined domain:"
+msgstr ""
+"Для того, чтобы сделать работу процесса <systemitem class=\"daemon\">httpd</"
+"systemitem> неограниченной, выполните следующую команду от имени "
+"пользователя root для изменения типа файла <filename>/usr/sbin/httpd</"
+"filename>, на тип, который не перейдёт в ограниченный домен:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>chcon -t unconfined_exec_t /usr/sbin/httpd</command>"
+msgstr "<command>chcon -t unconfined_exec_t /usr/sbin/httpd</command>"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /usr/sbin/httpd</command> command to confirm that "
+"<filename>/usr/sbin/httpd</filename> is labeled with the "
+"<computeroutput>unconfined_exec_t</computeroutput> type:"
+msgstr ""
+"Выполните команду <command>ls -Z /usr/sbin/httpd</command> для подтверждения "
+"в том, что <filename>/usr/sbin/httpd</filename> помечен типом "
+"<computeroutput>unconfined_exec_t</computeroutput>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ps -eZ | grep httpd</command> command to view the "
+"<systemitem class=\"daemon\">httpd</systemitem> running in the "
+"<computeroutput>unconfined_t</computeroutput> domain:"
+msgstr ""
+"Выполните команду <command>ps -eZ | grep httpd</command> для того, чтобы "
+"убедиться, что <systemitem class=\"daemon\">httpd</systemitem> выполняется в "
+"домене <computeroutput>unconfined_t</computeroutput>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Change into a directory where your Linux user has write access to, and run "
+"the <command>wget http://localhost/test2file</command> command. Unless there "
+"are changes to the default configuration, this command succeeds:"
+msgstr ""
+"Перейдите в директорию, где у вашего Linux пользователя есть права на "
+"запись, для выполнения команды <command>wget http://localhost/test2file</"
+"command>. Если конфигурация по умолчанию не изменена, то команда выполнится "
+"успешно:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Although the <systemitem class=\"daemon\">httpd</systemitem> process does "
+"not have access to files labeled with the <computeroutput>samba_share_t</"
+"computeroutput> type, <systemitem class=\"daemon\">httpd</systemitem> is "
+"running in the unconfined <computeroutput>unconfined_t</computeroutput> "
+"domain, and falls back to using DAC rules, and as such, the <command>wget</"
+"command> command succeeds. Had <systemitem class=\"daemon\">httpd</"
+"systemitem> been running in the confined <computeroutput>httpd_t</"
+"computeroutput> domain, the <command>wget</command> command would have "
+"failed."
+msgstr ""
+"Несмотря на то, что процесс <systemitem class=\"daemon\">httpd</systemitem> "
+"не имеет доступа к файлам помеченным типом <computeroutput>samba_share_t</"
+"computeroutput>, демон <systemitem class=\"daemon\">httpd</systemitem> "
+"запущен в неограниченном <computeroutput>unconfined_t</computeroutput> "
+"домене и отступает к использованию правил DAC, таким образом, команда "
+"<command>wget</command> выполняется успешно. Если <systemitem class=\"daemon"
+"\">httpd</systemitem> запущен в ограниченном <computeroutput>httpd_t</"
+"computeroutput> домене, то команда <command>wget</command> завершится с "
+"ошибкой."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The <command>restorecon</command> command restores the default SELinux "
+"context for files. As the Linux root user, run the <command>restorecon -v /"
+"usr/sbin/httpd</command> command to restore the default SELinux context for "
+"<filename>/usr/sbin/httpd</filename>:"
+msgstr ""
+"Команда <command>restorecon</command> восстанавливает контекст SELinux по "
+"умолчанию для файлов. От имени пользователя root, выполните команду "
+"<command>restorecon -v /usr/sbin/httpd</command> для восстановления "
+"контекста SELinux по умолчанию для файла <filename>/usr/sbin/httpd</"
+"filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Run the <command>ls -Z /usr/sbin/httpd</command> command to confirm that "
+"<filename>/usr/sbin/httpd</filename> is labeled with the "
+"<computeroutput>httpd_exec_t</computeroutput> type:"
+msgstr ""
+"Выполните команду <command>ls -Z /usr/sbin/httpd</command> для того, чтобы "
+"убедиться, что <filename>/usr/sbin/httpd</filename> помечен типом "
+"<computeroutput>httpd_exec_t</computeroutput>:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>/sbin/service httpd restart</"
+"command> command to restart <systemitem class=\"daemon\">httpd</systemitem>. "
+"After restarting, run the <command>ps -eZ | grep httpd</command> to confirm "
+"that <systemitem class=\"daemon\">httpd</systemitem> is running in the "
+"confined <computeroutput>httpd_t</computeroutput> domain:"
+msgstr ""
+"От имени пользователя root, выполните команду <command>/sbin/service httpd "
+"restart</command> для перезапуска <systemitem class=\"daemon\">httpd</"
+"systemitem>. После перезапуска, выполните <command>ps -eZ | grep httpd</"
+"command> для того, чтобы убедиться в запуске <systemitem class=\"daemon"
+"\">httpd</systemitem> в ограниченном <computeroutput>httpd_t</"
+"computeroutput> домене:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>rm -i /var/www/html/test2file</"
+"command> command to remove <filename>test2file</filename>."
+msgstr ""
+"От имени пользователя root, выполните команду <command>rm -i /var/www/html/"
+"test2file</command> для удаления <filename>test2file</filename>."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The examples in these sections demonstrate how data can be protected from a "
+"compromised confined-process (protected by SELinux), as well as how data is "
+"more accessible to an attacker from a compromised unconfined-process (not "
+"protected by SELinux)."
+msgstr ""
+"Примеры в этом разделе, демонстрируют как данные могут быть защищены от "
+"уязвимых ограниченных процессов (confined-processes), защищенных с помощью "
+"SELinux, а также, как данные могут стать доступными для атакующего от "
+"уязвимых неограниченных (unconfined-processes), не защищенных с помощью "
+"SELinux."
+
+#. Tag: title
+#, no-c-format
+msgid "Confined and Unconfined Users"
+msgstr "Ограниченные и Неограниченные Пользователи"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Each Linux user is mapped to an SELinux user via SELinux policy. This allows "
+"Linux users to inherit the restrictions on SELinux users. This Linux user "
+"mapping is seen by running the <command>semanage login -l</command> command "
+"as the Linux root user:"
+msgstr ""
+"Каждый пользователь Linux сопоставлен пользователю SELinux через политику "
+"SELinux. Это позволяет пользователям Linux наследовать ограничения "
+"пользователей SELinux. Это сопоставление пользователей Linux можно "
+"просмотреть выполнив команду <command>semanage login -l</command> от имени "
+"пользователя root:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"In Fedora &PRODVER;, Linux users are mapped to the SELinux "
+"<computeroutput>__default__</computeroutput> login by default (which is "
+"mapped to the SELinux <computeroutput>unconfined_u</computeroutput> user). "
+"The following defines the default-mapping:"
+msgstr ""
+"В Fedora &PRODVER;, пользователи Linux сопоставлены логину SELinux "
+"<computeroutput>__default__</computeroutput>, который сопоставлен "
+"пользователю SELinux <computeroutput>unconfined_u</computeroutput> по "
+"умолчанию. Ниже определяется это сопоставление \"по-умолчанию\":"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The following example demonstrates adding a new Linux user, and that Linux "
+"user being mapped to the SELinux <computeroutput>unconfined_u</"
+"computeroutput> user. It assumes that the Linux root user is running "
+"unconfined, as it does by default in Fedora &PRODVER;:"
+msgstr ""
+"В следующем примере демонстрируется добавление нового пользователя Linux, и "
+"сопоставление пользователя Linux пользователю SELinux "
+"<computeroutput>unconfined_u</computeroutput>. Это подразумевает, что "
+"пользователь root работает неограниченно (unconfined), что установлено по "
+"умолчанию в Fedora &PRODVER;:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>/usr/sbin/useradd newuser</command> "
+"command to create a new Linux user named newuser."
+msgstr ""
+"От имени пользователя root, выполним команду <command>/usr/sbin/useradd "
+"newuser</command> для создания нового пользователя Linux с именем newuser."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"As the Linux root user, run the <command>passwd newuser</command> command to "
+"assign a password to the Linux newuser user:"
+msgstr ""
+"От имени пользователя root, выполним команду <command>passwd newuser</"
+"command> для назначения пароля пользователю newuser:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Log out of your current session, and log in as the Linux newuser user. When "
+"you log in, pam_selinux maps the Linux user to an SELinux user (in this "
+"case, unconfined_u), and sets up the resulting SELinux context. The Linux "
+"user's shell is then launched with this context. Run the <command>id -Z</"
+"command> command to view the context of a Linux user:"
+msgstr ""
+"Завершите сеанс текущей сессии, и выполните логин от имени пользователя "
+"newuser. После выполнения авторизации pam_selinux сопоставит пользователя "
+"Linux пользователю SELinux (в нашем случае unconfined_u), и установит "
+"результирующий контекст SELinux. Пользовательская оболочка (shell) запущена "
+"в этом же контексте. Выполните команду <command>id -Z</command> для "
+"просмотра контекста пользователя Linux:"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Log out of the Linux newuser's session, and log in with your account. If you "
+"do not want the Linux newuser user, run the <command>/usr/sbin/userdel -r "
+"newuser</command> command as the Linux root user to remove it, along with "
+"the Linux newuser's home directory."
+msgstr ""
+"Завершите сессию пользователя newuser, и зайдите с вашей учётной записью. "
+"Если Вам не нужен пользователь newuser, его можно удалить командой <command>/"
+"usr/sbin/userdel -r newuser</command> от имени пользователя root, вместе с "
+"домашним каталогом пользователя newsuer."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Confined and unconfined Linux users are subject to executable and writeable "
+"memory checks, and are also restricted by MCS (and MLS, if the MLS policy is "
+"used). If unconfined Linux users execute an application that SELinux policy "
+"defines can transition from the <computeroutput>unconfined_t</"
+"computeroutput> domain to its own confined domain, unconfined Linux users "
+"are still subject to the restrictions of that confined domain. The security "
+"benefit of this is that, even though a Linux user is running unconfined, the "
+"application remains confined, and therefore, the exploitation of a flaw in "
+"the application can be limited by policy. Note: this does not protect the "
+"system from the user. Instead, the user and the system are being protected "
+"from possible damage caused by a flaw in the application."
+msgstr ""
+"Ограниченные и неограниченные пользователи Linux - это субъекты для проверки "
+"на исполнение и запись в сегменты памяти, а также для ограничений политикой "
+"MCS (и MLS, если используется политика MLS). Если неограниченные "
+"пользователи Linux выполняют приложения, для которых SELinux определяет "
+"переход из неограниченного домена <computeroutput>unconfined_t</"
+"computeroutput> в ограниченный домен, то неограниченные польователи Linux "
+"являются субъектами для правил и ограничений в этом ограниченном домене. "
+"Преимущество безопасности в этом случае заключается в том, что хотя "
+"пользователь работает неограниченно, приложение остаётся ограниченным, и "
+"кроме того, использование утечек приложение может быть ограничено политикой. "
+"Примечание: данный механизм не защищает систему от пользователя. Вместо "
+"этого, пользователь и система защищены от возможных угроз, вызванных "
+"уязвимостями приложения."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The following confined SELinux users are available in Fedora &PRODVER;:"
+msgstr ""
+"Следующие ограниченнные пользователи SELinux существуют в Fedora "
+"&PRODVER;:"
+
+#. Tag: title
+#, no-c-format
+msgid "SELinux User Capabilities"
+msgstr "Возможности пользователей SELinux"
+
+#. Tag: entry
+#, no-c-format
+msgid "User"
+msgstr "Пользователь"
+
+#. Tag: entry
+#, no-c-format
+msgid "Domain"
+msgstr "Домен"
+
+#. Tag: entry
+#, no-c-format
+msgid "X Window System"
+msgstr "X Window System"
+
+#. Tag: entry
+#, no-c-format
+msgid "su and sudo"
+msgstr "su и sudo"
+
+#. Tag: entry
+#, no-c-format
+msgid "Execute in home directory and /tmp/"
+msgstr "Выполнение в домашнем каталоге и /tmp/"
+
+#. Tag: entry
+#, no-c-format
+msgid "Networking"
+msgstr "Сетевые функции"
+
+#. Tag: entry
+#, no-c-format
+msgid "guest_u"
+msgstr "guest_u"
+
+#. Tag: entry
+#, no-c-format
+msgid "guest_t"
+msgstr "guest_t"
+
+#. Tag: entry
+#, no-c-format
+msgid "no"
+msgstr "нет"
+
+#. Tag: entry
+#, no-c-format
+msgid "optional"
+msgstr "опционально"
+
+#. Tag: entry
+#, no-c-format
+msgid "xguest_u"
+msgstr "xguest_u"
+
+#. Tag: entry
+#, no-c-format
+msgid "xguest_t"
+msgstr "xguest_t"
+
+#. Tag: entry
+#, no-c-format
+msgid "yes"
+msgstr "да"
+
+#. Tag: entry
+#, no-c-format
+msgid "only <application>Firefox</application>"
+msgstr "только <application>Firefox</application>"
+
+#. Tag: entry
+#, no-c-format
+msgid "user_u"
+msgstr "user_u"
+
+#. Tag: entry
+#, no-c-format
+msgid "user_t"
+msgstr "user_t"
+
+#. Tag: entry
+#, no-c-format
+msgid "staff_u"
+msgstr "staff_u"
+
+#. Tag: entry
+#, no-c-format
+msgid "staff_t"
+msgstr "staff_t"
+
+#. Tag: entry
+#, no-c-format
+msgid "only <command>sudo</command>"
+msgstr "только <command>sudo</command>"
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Linux users in the <computeroutput>guest_t</computeroutput>, "
+"<computeroutput>xguest_t</computeroutput>, and <computeroutput>user_t</"
+"computeroutput> domains can only run set user ID (setuid) applications if "
+"SELinux policy permits it (such as <command>passwd</command>). They can not "
+"run the <command>su</command> and <command>/usr/bin/sudo</command> setuid "
+"applications, and therefore, can not use these applications to become the "
+"Linux root user."
+msgstr ""
+"Пользователи Linux в доменах <computeroutput>guest_t</computeroutput>, "
+"<computeroutput>xguest_t</computeroutput> и <computeroutput>user_t</"
+"computeroutput> могут запускать приложения, которые устанавливают ID "
+"пользователя (setuid), только если политика SELinux позволяет это (такие как "
+"<command>passwd</command>). Они не могут выполнять setuid приложения "
+"<command>su</command> и <command>/usr/bin/sudo</command> и более того, не "
+"могут использовать данные приложения для, того чтобы повысить привелегия до "
+"пользователя root."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Linux users in the <computeroutput>guest_t</computeroutput> domain have no "
+"network access, and can only log in via a terminal (including <systemitem "
+"class=\"daemon\">ssh</systemitem>; they can log in via <systemitem class="
+"\"daemon\">ssh</systemitem>, but can not use <systemitem class=\"daemon"
+"\">ssh</systemitem> to connect to another system)."
+msgstr ""
+"У пользователей Linux в домене <computeroutput>guest_t</computeroutput> нет "
+"доступа к сети, и они могут только выполнить логин через терминал (включая "
+"<systemitem class=\"daemon\">ssh</systemitem>; они могут выполнить вход "
+"через <systemitem class=\"daemon\">ssh</systemitem>, но они не могут "
+"использовать <systemitem class=\"daemon\">ssh</systemitem> для подключения к "
+"удалённой системе)."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"The only network access Linux users in the <computeroutput>xguest_t</"
+"computeroutput> domain have is <application>Firefox</application> connecting "
+"to web pages."
+msgstr ""
+"Единственный сетевой доступ, который есть у пользователей Linux в домене "
+"<computeroutput>xguest_t</computeroutput> - это подключение к веб-страницам "
+"с использованием <application>Firefox</application>."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"Linux users in the <computeroutput>xguest_t</computeroutput>, "
+"<computeroutput>user_t</computeroutput> and <computeroutput>staff_t</"
+"computeroutput> domains can log in via the X Window System and a terminal."
+msgstr ""
+"Пользователи Linux в доменах <computeroutput>xguest_t</computeroutput>, "
+"<computeroutput>user_t</computeroutput> и <computeroutput>staff_t</"
+"computeroutput> могут выполнять вход через X Window System или терминал."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"By default, Linux users in the <computeroutput>staff_t</computeroutput> "
+"domain do not have permissions to execute applications with <command>/usr/"
+"bin/sudo</command>. These permissions must be configured by an administrator."
+msgstr ""
+"По умолчанию, пользователи Linux в домене <computeroutput>staff_t</"
+"computeroutput> не имеют прав на исполнение приложений с <command>/usr/bin/"
+"sudo</command> Эти права могут быть изменены администратором."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"By default, Linux users in the <computeroutput>guest_t</computeroutput> and "
+"<computeroutput>xguest_t</computeroutput> domains can not execute "
+"applications in their home directories or <filename>/tmp/</filename>, "
+"preventing them from executing applications (which inherit users' "
+"permissions) in directories they have write access to. This helps prevent "
+"flawed or malicious applications from modifying files users' own."
+msgstr ""
+"По умолчанию, пользователи Linux в доменах <computeroutput>guest_t</"
+"computeroutput> и <computeroutput>xguest_t</computeroutput> не могут "
+"исполнять приложения в их домащних каталогах или <filename>/tmp/</filename>, "
+"предотвращая этим, запуск приложений (которые наследуют права пользователя) "
+"в директориях, на которые у них есть права записи. Это позволяет "
+"предотвратить от запуска и утечки подозрительных приложений или изменения "
+"файлов, которыми владеет пользователь."
+
+#. Tag: para
+#, no-c-format
+msgid ""
+"By default, Linux users in the <computeroutput>user_t</computeroutput> and "
+"<computeroutput>staff_t</computeroutput> domains can execute applications in "
+"their home directories and <filename>/tmp/</filename>. Refer to <xref "
+"linkend=\"sect-Security-Enhanced_Linux-Confining_Users-"
+"Booleans_for_Users_Executing_Applications\" /> for information about "
+"allowing and preventing users from executing applications in their home "
+"directories and <filename>/tmp/</filename>."
+msgstr ""
+"По умолчанию, пользователи Linux в доменах <computeroutput>user_t</"
+"computeroutput> и <computeroutput>staff_t</computeroutput> могут выполнять "
+"приложения в их домашних каталогах и <filename>/tmp/</filename>. "
+"Дополнительная информация <xref linkend=\"sect-Security-Enhanced_Linux-"
+"Confining_Users-Booleans_for_Users_Executing_Applications\" /> о разрешении "
+"и запрещении исполнения приложения пользователями в домашних каталогах и "
+"<filename>/tmp/</filename>."
More information about the docs-commits
mailing list