r488 - community/trunk/SELinux_User_Guide/ru-RU
transif at fedoraproject.org
transif at fedoraproject.org
Sat Nov 20 08:42:31 UTC 2010
Author: transif
Date: 2010-11-20 08:42:31 +0000 (Sat, 20 Nov 2010)
New Revision: 488
Modified:
community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po
Log:
l10n: Updates to Russian (ru) translation
Transmitted-via: Transifex (translate.fedoraproject.org)
Modified: community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po
===================================================================
--- community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po 2010-10-05 13:04:55 UTC (rev 487)
+++ community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po 2010-11-20 08:42:31 UTC (rev 488)
@@ -1,1425 +1,903 @@
-# SOME DESCRIPTIVE TITLE.
-# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
-#
-#, fuzzy
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
-"POT-Creation-Date: 2010-04-15T00:19:32\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
-"Language-Team: LANGUAGE <kde-i18n-doc at kde.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Type: application/x-xml2pot; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#. Tag: title
-#, no-c-format
-msgid "Troubleshooting"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following chapter describes what happens when SELinux denies access; the "
-"top three causes of problems; where to find information about correct "
-"labeling; analyzing SELinux denials; and creating custom policy modules with "
-"<command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "What Happens when Access is Denied"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux decisions, such as allowing or disallowing access, are cached. This "
-"cache is known as the Access Vector Cache (AVC). Denial messages are logged "
-"when SELinux denies access. These denials are also known as \"AVC denials\", "
-"and are logged to a different location, depending on which daemons are "
-"running:"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Daemon"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Log Location"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "auditd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<filename>/var/log/audit/audit.log</filename>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "auditd off; rsyslogd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<filename>/var/log/messages</filename>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "setroubleshootd, rsyslogd, and auditd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid ""
-"<filename>/var/log/audit/audit.log</filename>. Easier-to-read denial "
-"messages also sent to <filename>/var/log/messages</filename>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you are running the X Window System, have the <package>setroubleshoot</"
-"package> and <package>setroubleshoot-server</package> packages installed, "
-"and the <systemitem class=\"daemon\">setroubleshootd</systemitem> and "
-"<systemitem class=\"daemon\">auditd</systemitem> daemons are running, a "
-"warning is displayed when access is denied by SELinux:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Clicking on 'Show' presents a detailed analysis of why SELinux denied "
-"access, and a possible solution for allowing access. If you are not running "
-"the X Window System, it is less obvious when access is denied by SELinux. "
-"For example, users browsing your website may receive an error similar to the "
-"following:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For these situations, if DAC rules (standard Linux permissions) allow "
-"access, check <filename>/var/log/messages</filename> and <filename>/var/log/"
-"audit/audit.log</filename> for <computeroutput>\"SELinux is preventing\"</"
-"computeroutput> and <computeroutput>\"denied\"</computeroutput> errors "
-"respectively. This can be done by running the following commands as the "
-"Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>grep \"denied\" /var/log/audit/audit.log</command>"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Top Three Causes of Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following sections describe the top three causes of problems: labeling "
-"problems, configuring Booleans and ports for services, and evolving SELinux "
-"rules."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Labeling Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"On systems running SELinux, all processes and files are labeled with a label "
-"that contains security-relevant information. This information is called the "
-"SELinux context. If these labels are wrong, access may be denied. If an "
-"application is labeled incorrectly, the process it transitions to may not "
-"have the correct label, possibly causing SELinux to deny access, and the "
-"process being able to create mislabeled files."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A common cause of labeling problems is when a non-standard directory is used "
-"for a service. For example, instead of using <filename>/var/www/html/</"
-"filename> for a website, an administrator wants to use <filename>/srv/myweb/"
-"</filename>. On Fedora &PRODVER;, the <filename>/srv/</filename> "
-"directory is labeled with the <computeroutput>var_t</computeroutput> type. "
-"Files and directories created and <filename>/srv/</filename> inherit this "
-"type. Also, newly-created top-level directories (such as <filename>/myserver/"
-"</filename>) may be labeled with the <computeroutput>default_t</"
-"computeroutput> type. SELinux prevents the Apache HTTP Server (<systemitem "
-"class=\"daemon\">httpd</systemitem>) from accessing both of these types. To "
-"allow access, SELinux must know that the files in <filename>/srv/myweb/</"
-"filename> are to be accessible to <systemitem class=\"daemon\">httpd</"
-"systemitem>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This <command>semanage</command> command adds the context for the <filename>/"
-"srv/myweb/</filename> directory (and all files and directories under it) to "
-"the SELinux file-context configuration<footnote> <para> Files in <filename>/"
-"etc/selinux/targeted/contexts/files/</filename> define contexts for files "
-"and directories. Files in this directory are read by <command>restorecon</"
-"command> and <command>setfiles</command> to restore files and directories to "
-"their default contexts. </para> </footnote>. The <command>semanage</command> "
-"command does not change the context. As the Linux root user, run the "
-"<command>restorecon</command> command to apply the changes:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" /> "
-"for further information about adding contexts to the file-context "
-"configuration."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "What is the Correct Context?"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <command>matchpathcon</command> command checks the context of a file "
-"path and compares it to the default label for that path. The following "
-"example demonstrates using <command>matchpathcon</command> on a directory "
-"that contains incorrectly labeled files:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, the <filename>index.html</filename> and <filename>page1."
-"html</filename> files are labeled with the <computeroutput>user_home_t</"
-"computeroutput> type. This type is used for files in user home directories. "
-"Using the <command>mv</command> command to move files from your home "
-"directory may result in files being labeled with the "
-"<computeroutput>user_home_t</computeroutput> type. This type should not "
-"exist outside of home directories. Use the <command>restorecon</command> "
-"command to restore such files to their correct type:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To restore the context for all files under a directory, use the <option>-R</"
-"option> option:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" /> for a "
-"more detailed example of <command>matchpathcon</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "How are Confined Services Running?"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Services can be run in a variety of ways. To cater for this, you must tell "
-"SELinux how you are running services. This can be achieved via Booleans that "
-"allow parts of SELinux policy to be changed at runtime, without any "
-"knowledge of SELinux policy writing. This allows changes, such as allowing "
-"services access to NFS file systems, without reloading or recompiling "
-"SELinux policy. Also, running services on non-default port numbers requires "
-"policy configuration to be updated via the <command>semanage</command> "
-"command."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For example, to allow the Apache HTTP Server to communicate with MySQL, turn "
-"the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean on:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If access is denied for a particular service, use the <command>getsebool</"
-"command> and <command>grep</command> commands to see if any Booleans are "
-"available to allow access. For example, use the <command>getsebool -a | grep "
-"ftp</command> command to search for FTP related Booleans:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For a list of Booleans and whether they are on or off, run the <command>/usr/"
-"sbin/getsebool -a</command> command. For a list of Booleans, an explanation "
-"of what each one is, and whether they are on or off, run the <command>/usr/"
-"sbin/semanage boolean -l</command> command as the Linux root user. Refer to "
-"<xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans"
-"\" /> for information about listing and configuring Booleans."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Port Numbers"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Depending on policy configuration, services may only be allowed to run on "
-"certain port numbers. Attempting to change the port a service runs on "
-"without changing policy may result in the service failing to start. For "
-"example, run the <command>semanage port -l | grep http</command> command as "
-"the Linux root user to list <systemitem class=\"daemon\">http</systemitem> "
-"related ports:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput>http_port_t</computeroutput> port type defines the ports "
-"Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, "
-"488, 8008, 8009, and 8443. If an administrator configures <filename>httpd."
-"conf</filename> so that <systemitem class=\"daemon\">httpd</systemitem> "
-"listens on port 9876 (<option>Listen 9876</option>), but policy is not "
-"updated to reflect this, the <command>service httpd start</command> command "
-"fails:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"An SELinux denial similar to the following is logged to <filename>/var/log/"
-"audit/audit.log</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To allow <systemitem class=\"daemon\">httpd</systemitem> to listen on a port "
-"that is not listed for the <computeroutput>http_port_t</computeroutput> port "
-"type, run the <command>semanage port</command> command to add a port to "
-"policy configuration<footnote> <para> The <command>semanage port -a</"
-"command> command adds an entry to the <filename>/etc/selinux/targeted/"
-"modules/active/ports.local</filename> file. Note: by default, this file can "
-"only be viewed by the Linux root user. </para> </footnote>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <option>-a</option> option adds a new record; the <option>-t</option> "
-"option defines a type; and the <option>-p</option> option defines a "
-"protocol. The last argument is the port number to add."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Evolving Rules and Broken Applications"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Applications may be broken, causing SELinux to deny access. Also, SELinux "
-"rules are evolving - SELinux may not have seen an application running in a "
-"certain way, possibly causing it to deny access, even though the application "
-"is working as expected. For example, if a new version of PostgreSQL is "
-"released, it may perform actions the current policy has not seen before, "
-"causing access to be denied, even though access should be allowed."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For these situations, after access is denied, use <command>audit2allow</"
-"command> to create a custom policy module to allow access. Refer to <xref "
-"linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-"
-"Allowing_Access_audit2allow\" /> for information about using "
-"<command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Fixing Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following sections help troubleshoot issues. They go over: checking "
-"Linux permissions, which are checked before SELinux rules; possible causes "
-"of SELinux denying access, but no denials being logged; manual pages for "
-"services, which contain information about labeling and Booleans; permissive "
-"domains, for allowing one process to run permissive, rather than the whole "
-"system; how to search for and view denial messages; analyzing denials; and "
-"creating custom policy modules with <command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Linux Permissions"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"When access is denied, check standard Linux permissions. As mentioned in "
-"<xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, most "
-"operating systems use a Discretionary Access Control (DAC) system to control "
-"access, allowing users to control the permissions of files that they own. "
-"SELinux policy rules are checked after DAC rules. SELinux policy rules are "
-"not used if DAC rules deny access first."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If access is denied and no SELinux denials are logged, use the <command>ls -"
-"l</command> command to view the standard Linux permissions:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, <filename>index.html</filename> is owned by the root user "
-"and group. The root user has read and write permissions (<computeroutput>-"
-"rw</computeroutput>), and members of the root group have read permissions "
-"(<computeroutput>-r-</computeroutput>). Everyone else has no access "
-"(<computeroutput>---</computeroutput>). By default, such permissions do not "
-"allow <systemitem class=\"daemon\">httpd</systemitem> to read this file. To "
-"resolve this issue, use the <command>chown</command> command to change the "
-"owner and group. This command must be run as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This assumes the default configuration, in which <systemitem class=\"daemon"
-"\">httpd</systemitem> runs as the Linux apache user. If you run <systemitem "
-"class=\"daemon\">httpd</systemitem> with a different user, replace "
-"<computeroutput>apache:apache</computeroutput> with that user."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to the <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/"
-"AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions"
-"\"</ulink> draft for information about managing Linux permissions."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Possible Causes of Silent Denials"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In certain situations, AVC denials may not be logged when SELinux denies "
-"access. Applications and system library functions often probe for more "
-"access than required to perform their tasks. To maintain least privilege "
-"without filling audit logs with AVC denials for harmless application "
-"probing, the policy can silence AVC denials without allowing a permission by "
-"using <computeroutput>dontaudit</computeroutput> rules. These rules are "
-"common in standard policy. The downside of <computeroutput>dontaudit</"
-"computeroutput> is that, although SELinux denies access, denial messages are "
-"not logged, making troubleshooting hard."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To temporarily disable <computeroutput>dontaudit</computeroutput> rules, "
-"allowing all denials to be logged, run the following command as the Linux "
-"root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semodule -DB</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <option>-D</option> option disables <computeroutput>dontaudit</"
-"computeroutput> rules; the <option>-B</option> option rebuilds policy. After "
-"running <command>semodule -DB</command>, try exercising the application that "
-"was encountering permission problems, and see if SELinux denials — "
-"relevant to the application — are now being logged. Take care in "
-"deciding which denials should be allowed, as some should be ignored and "
-"handled via <computeroutput>dontaudit</computeroutput> rules. If in doubt, "
-"or in search of guidance, contact other SELinux users and developers on an "
-"SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/"
-"fedora-selinux-list\">fedora-selinux-list</ulink>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To rebuild policy and enable <computeroutput>dontaudit</computeroutput> "
-"rules, run the following command as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semodule -B</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This restores the policy to its original state. For a full list of "
-"<computeroutput>dontaudit</computeroutput> rules, run the <command>sesearch "
-"--dontaudit</command> command. Narrow down searches using the <option>-s "
-"<replaceable>domain</replaceable></option> option and the <command>grep</"
-"command> command. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-"
-"Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Fixing_Problems-sealert_Messages\" /> for information about analyzing "
-"denials."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Manual Pages for Services"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Manual pages for services contain valuable information, such as what file "
-"type to use for a given situation, and Booleans to change the access a "
-"service has (such as <systemitem class=\"daemon\">httpd</systemitem> "
-"accessing NFS file systems). This information may be in the standard manual "
-"page, or a manual page with <computeroutput>selinux</computeroutput> "
-"prepended or appended."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "For example, the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "httpd_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page has information about what file type to use for a given "
-"situation, as well as Booleans to allow scripts, sharing files, accessing "
-"directories inside user home directories, and so on. Other manual pages with "
-"SELinux information for services include:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Samba: the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "samba_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that files and directories to be exported via Samba "
-"must be labeled with the <computeroutput>samba_share_t</computeroutput> "
-"type, as well as Booleans to allow files labeled with types other than "
-"<computeroutput>samba_share_t</computeroutput> to be exported via Samba."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "NFS: the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "nfs_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that, by default, file systems can not be exported via "
-"NFS, and that to allow file systems to be exported, Booleans such as "
-"<computeroutput>nfs_export_all_ro</computeroutput> or "
-"<computeroutput>nfs_export_all_rw</computeroutput> must be turned on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Berkeley Internet Name Domain (BIND): the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "named"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes what file type to use for a given situation (see the "
-"<computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> "
-"section). The"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "named_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that, by default, <systemitem class=\"daemon\">named</"
-"systemitem> can not write to master zone files, and to allow such access, "
-"the <computeroutput>named_write_master_zones</computeroutput> Boolean must "
-"be turned on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The information in manual pages helps you configure the correct file types "
-"and Booleans, helping to prevent SELinux from denying access."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Permissive Domains"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"When SELinux is running in permissive mode, SELinux does not deny access, "
-"but denials are logged for actions that would have been denied if running in "
-"enforcing mode. Previously, it was not possible to make a single domain "
-"permissive (remember: processes run in domains). In certain situations, this "
-"led to making the whole system permissive to troubleshoot issues."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Fedora &PRODVER; includes permissive domains, where an administrator "
-"can configure a single process (domain) to run permissive, rather than "
-"making the whole system permissive. SELinux checks are still performed for "
-"permissive domains; however, the kernel allows access and reports an AVC "
-"denial for situations where SELinux would have denied access. Permissive "
-"domains are also available in Fedora 9 (with the latest updates applied)."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In Red Hat Enterprise Linux 4 and 5, <computeroutput><replaceable>domain</"
-"replaceable>_disable_trans</computeroutput> Booleans are available to "
-"prevent an application from transitioning to a confined domain, and "
-"therefore, the process runs in an unconfined domain, such as "
-"<computeroutput>initrc_t</computeroutput>. Turning such Booleans on can "
-"cause major problems. For example, if the "
-"<computeroutput>httpd_disable_trans</computeroutput> Boolean is turned on:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<systemitem class=\"daemon\">httpd</systemitem> runs in the unconfined "
-"<computeroutput>initrc_t</computeroutput> domain. Files created by processes "
-"running in the <computeroutput>initrc_t</computeroutput> domain may not have "
-"the same labeling rules applied as files created by a process running in the "
-"<computeroutput>httpd_t</computeroutput> domain, potentially allowing "
-"processes to create mislabeled files. This causes access problems later on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"confined domains that are allowed to communicate with "
-"<computeroutput>httpd_t</computeroutput> can not communicate with "
-"<computeroutput>initrc_t</computeroutput>, possibly causing additional "
-"failures."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput><replaceable>domain</replaceable>_disable_trans</"
-"computeroutput> Booleans were removed from Fedora 7, even though there was "
-"no replacement. Permissive domains solve the above issues: transition rules "
-"apply, and files are created with the correct labels."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Permissive domains can be used for:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"making a single process (domain) run permissive to troubleshoot an issue, "
-"rather than putting the entire system at risk by making the entire system "
-"permissive."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"creating policies for new applications. Previously, it was recommended that "
-"a minimal policy be created, and then the entire machine put into permissive "
-"mode, so that the application could run, but SELinux denials still logged. "
-"<command>audit2allow</command> could then be used to help write the policy. "
-"This put the whole system at risk. With permissive domains, only the domain "
-"in the new policy can be marked permissive, without putting the whole system "
-"at risk."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Making a Domain Permissive"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To make a domain permissive, run the <command>semanage permissive -a "
-"<replaceable>domain</replaceable></command> command, where "
-"<replaceable>domain</replaceable> is the domain you want to make permissive. "
-"For example, run the following command as the Linux root user to make the "
-"<computeroutput>httpd_t</computeroutput> domain (the domain the Apache HTTP "
-"Server runs in) permissive:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To view a list of domains you have made permissive, run the "
-"<command>semodule -l | grep permissive</command> command as the Linux root "
-"user. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you no longer want a domain to be permissive, run the <command>semanage "
-"permissive -d <replaceable>domain</replaceable></command> command as the "
-"Linux root user. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Denials for Permissive Domains"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput>SYSCALL</computeroutput> message is different for "
-"permissive domains. The following is an example AVC denial (and the "
-"associated system call) from the Apache HTTP Server:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, the <computeroutput>httpd_t</computeroutput> domain is not "
-"permissive, and as such, the action is denied, and the "
-"<computeroutput>SYSCALL</computeroutput> message contains "
-"<computeroutput>success=no</computeroutput>. The following is an example AVC "
-"denial for the same situation, except the <command>semanage permissive -a "
-"httpd_t</command> command has been run to make the <computeroutput>httpd_t</"
-"computeroutput> domain permissive:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this case, although an AVC denial was logged, access was not denied, as "
-"shown by <computeroutput>success=yes</computeroutput> in the "
-"<computeroutput>SYSCALL</computeroutput> message."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24537.html"
-"\">\"Permissive Domains\"</ulink> blog entry for further information about "
-"permissive domains."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Searching For and Viewing Denials"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This section assumes the <package>setroubleshoot</package>, "
-"<package>setroubleshoot-server</package>, <package>dbus</package> and "
-"<package>audit</package> packages are installed, and that the <systemitem "
-"class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</"
-"systemitem>, and <systemitem class=\"daemon\">setroubleshootd</systemitem> "
-"daemons are running. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Working_with_SELinux-Which_Log_File_is_Used\" /> for information about "
-"starting these daemons. A number of tools are available for searching for "
-"and viewing SELinux denials, such as <command>ausearch</command>, "
-"<command>aureport</command>, and <command>sealert</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "ausearch"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>audit</package> package provides <command>ausearch</command>. "
-"From the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>ausearch</command> is a tool that can query the "
-"audit daemon logs based for events based on different search criteria"
-"\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</"
-"refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as "
-"shipped with the <package>audit</package> package in Fedora &PRODVER;. "
-"</para> </footnote>. The <command>ausearch</command> tool accesses "
-"<filename>/var/log/audit/audit.log</filename>, and as such, must be run as "
-"the Linux root user:"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Searching For"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Command"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "all denials"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc</command>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "denials for that today"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -ts today</command>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "denials from the last 10 minutes"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -ts recent</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To search for SELinux denials for a particular service, use the <option>-c "
-"<replaceable>comm-name</replaceable></option> option, where "
-"<replaceable>comm-name</replaceable> \"is the executableâs name\"<footnote> "
-"<para> From the <citerefentry><refentrytitle>ausearch</"
-"refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as "
-"shipped with the <package>audit</package> package in Fedora &PRODVER;. "
-"</para> </footnote>, for example, <systemitem class=\"daemon\">httpd</"
-"systemitem> for the Apache HTTP Server, and <systemitem class=\"daemon"
-"\">smbd</systemitem> for Samba:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -c httpd</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -c smbd</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Refer to the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>ausearch</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "aureport"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>audit</package> package provides <command>aureport</command>. "
-"From the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>aureport</command> is a tool that produces summary "
-"reports of the audit system logs\"<footnote> <para> From the "
-"<citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</"
-"manvolnum></citerefentry> manual page, as shipped with the <package>audit</"
-"package> package in Fedora &PRODVER;. </para> </footnote>. The "
-"<command>aureport</command> tool accesses <filename>/var/log/audit/audit."
-"log</filename>, and as such, must be run as the Linux root user. To view a "
-"list of SELinux denials and how often each one occurred, run the "
-"<command>aureport -a</command> command. The following is example output that "
-"includes two denials:"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>aureport</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "sealert"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>setroubleshoot-server</package> package provides "
-"<command>sealert</command>, which reads denial messages translated by "
-"<package>setroubleshoot-server</package>. Denials are assigned IDs, as seen "
-"in <filename>/var/log/messages</filename>. The following is an example "
-"denial from <filename>messages</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, the denial ID is <computeroutput>84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</computeroutput>. The <option>-l</option> option takes an ID as "
-"an argument. Running the <command>sealert -l 84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</command> command presents a detailed analysis of why SELinux "
-"denied access, and a possible solution for allowing access."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you are running the X Window System, have the <package>setroubleshoot</"
-"package> and <package>setroubleshoot-server</package> packages installed, "
-"and the <systemitem class=\"daemon\">setroubleshootd</systemitem>, "
-"<systemitem class=\"daemon\">dbus</systemitem> and <systemitem class=\"daemon"
-"\">auditd</systemitem> daemons are running, a warning is displayed when "
-"access is denied by SELinux. Clicking on 'Show' launches the "
-"<command>sealert</command> GUI, and displays denials in HTML output:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>sealert -b</command> command to launch the "
-"<command>sealert</command> GUI."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>sealert -l \\*</command> command to view a detailed "
-"analysis of all denials."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>sealert -a /var/log/audit/audit.log "
-"-H > audit.html</command> command to create a HTML version of the "
-"<command>sealert</command> analysis, as seen with the <command>sealert</"
-"command> GUI."
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>sealert</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Raw Audit Messages"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Raw audit messages are logged to <filename>/var/log/audit/audit.log</"
-"filename>. The following is an example AVC denial (and the associated system "
-"call) that occurred when the Apache HTTP Server (running in the "
-"<computeroutput>httpd_t</computeroutput> domain) attempted to access the "
-"<filename>/var/www/html/file1</filename> file (labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type):"
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "<replaceable>{ getattr }</replaceable>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The item in braces indicates the permission that was denied. "
-"<computeroutput>getattr</computeroutput> indicates the source process was "
-"trying to read the target file's status information. This occurs before "
-"reading files. This action is denied due to the file being accessed having "
-"the wrong label. Commonly seen permissions include <computeroutput>getattr</"
-"computeroutput>, <computeroutput>read</computeroutput>, and "
-"<computeroutput>write</computeroutput>."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "comm=\"<replaceable>httpd</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The executable that launched the process. The full path of the executable is "
-"found in the <computeroutput>exe=</computeroutput> section of the system "
-"call (<computeroutput>SYSCALL</computeroutput>) message, which in this case, "
-"is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "path=\"<replaceable>/var/www/html/file1</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "The path to the object (target) the process attempted to access."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid ""
-"scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The SELinux context of the process that attempted the denied action. In this "
-"case, it is the SELinux context of the Apache HTTP Server, which is running "
-"in the <computeroutput>httpd_t</computeroutput> domain."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid ""
-"tcontext=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>"
-"\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The SELinux context of the object (target) the process attempted to access. "
-"In this case, it is the SELinux context of <filename>file1</filename>. Note: "
-"the <computeroutput>samba_share_t</computeroutput> type is not accessible to "
-"processes running in the <computeroutput>httpd_t</computeroutput> domain."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In certain situations, the <computeroutput>tcontext</computeroutput> may "
-"match the <computeroutput>scontext</computeroutput>, for example, when a "
-"process attempts to execute a system service that will change "
-"characteristics of that running process, such as the user ID. Also, the "
-"<computeroutput>tcontext</computeroutput> may match the "
-"<computeroutput>scontext</computeroutput> when a process tries to use more "
-"resources (such as memory) than normal limits allow, resulting in a security "
-"check to see if that process is allowed to break those limits."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"From the system call (<computeroutput>SYSCALL</computeroutput>) message, two "
-"items are of interest:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<computeroutput>success=<replaceable>no</replaceable></computeroutput>: "
-"indicates whether the denial (AVC) was enforced or not. "
-"<computeroutput>success=no</computeroutput> indicates the system call was "
-"not successful (SELinux denied access). <computeroutput>success=yes</"
-"computeroutput> indicates the system call was successful - this can be seen "
-"for permissive domains or unconfined domains, such as "
-"<computeroutput>initrc_t</computeroutput> and <computeroutput>kernel_t</"
-"computeroutput>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</"
-"computeroutput>: the full path to the executable that launched the process, "
-"which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</"
-"computeroutput>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"An incorrect file type is a common cause for SELinux denying access. To "
-"start troubleshooting, compare the source context (<computeroutput>scontext</"
-"computeroutput>) with the target context (<computeroutput>tcontext</"
-"computeroutput>). Should the process (<computeroutput>scontext</"
-"computeroutput>) be accessing such an object (<computeroutput>tcontext</"
-"computeroutput>)? For example, the Apache HTTP Server "
-"(<computeroutput>httpd_t</computeroutput>) should only be accessing types "
-"specified in the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page, such as <computeroutput>httpd_sys_content_t</computeroutput>, "
-"<computeroutput>public_content_t</computeroutput>, and so on, unless "
-"configured otherwise."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "sealert Messages"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. "
-"The following is an example AVC denial (logged to <filename>messages</"
-"filename>) that occurred when the Apache HTTP Server (running in the "
-"<computeroutput>httpd_t</computeroutput> domain) attempted to access the "
-"<filename>/var/www/html/file1</filename> file (labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type):"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As suggested, run the <command>sealert -l 84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</command> command to view the complete message. This command "
-"only works on the local machine, and presents the same information as the "
-"<command>sealert</command> GUI:"
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Summary"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A brief summary of the denied action. This is the same as the denial in "
-"<filename>/var/log/messages</filename>. In this example, the <systemitem "
-"class=\"daemon\">httpd</systemitem> process was denied access to a file "
-"(<filename>file1</filename>), which is labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Detailed Description"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A more verbose description. In this example, <filename>file1</filename> is "
-"labeled with the <computeroutput>samba_share_t</computeroutput> type. This "
-"type is used for files and directories that you want to export via Samba. "
-"The description suggests changing the type to a type that can be accessed by "
-"the Apache HTTP Server and Samba, if such access is desired."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Allowing Access"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A suggestion for how to allow access. This may be relabeling files, turning "
-"a Boolean on, or making a local policy module. In this case, the suggestion "
-"is to label the file with a type accessible to both the Apache HTTP Server "
-"and Samba."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Fix Command"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A suggested command to allow access and resolve the denial. In this example, "
-"it gives the command to change the <filename>file1</filename> type to "
-"<computeroutput>public_content_t</computeroutput>, which is accessible to "
-"the Apache HTTP Server and Samba."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Additional Information"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Information that is useful in bug reports, such as the policy package name "
-"and version (<computeroutput>selinux-policy-3.5.13-11.fc12</"
-"computeroutput>), but may not help towards solving why the denial occurred."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The raw audit messages from <filename>/var/log/audit/audit.log</filename> "
-"that are associated with the denial. Refer to <xref linkend=\"sect-Security-"
-"Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> for information about "
-"each item in the AVC denial."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Allowing Access: audit2allow"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Do not use the example in this section in production. It is used only to "
-"demonstrate the use of <command>audit2allow</command>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "From the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "audit2allow"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>audit2allow</command> - generate SELinux policy "
-"allow rules from logs of denied operations\"<footnote> <para> From the "
-"<citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</"
-"manvolnum></citerefentry> manual page, as shipped with the "
-"<package>policycoreutils</package> package in Fedora &PRODVER;. </para> "
-"</footnote>. After analyzing denials as per <xref linkend=\"sect-Security-"
-"Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, and if no label "
-"changes or Booleans allowed access, use <command>audit2allow</command> to "
-"create a local policy module. After access is denied by SELinux, running the "
-"<command>audit2allow</command> command presents Type Enforcement rules that "
-"allow the previously denied access."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following example demonstrates using <command>audit2allow</command> to "
-"create a policy module:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A denial and the associated system call are logged to <filename>/var/log/"
-"audit/audit.log</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, <application>certwatch</application> (<computeroutput>comm="
-"\"certwatch\"</computeroutput>) was denied write access (<computeroutput>"
-"{ write }</computeroutput>) to a directory labeled with the "
-"<computeroutput>var_t</computeroutput> type "
-"(<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). "
-"Analyze the denial as per <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Fixing_Problems-sealert_Messages\" />. If no label changes or Booleans "
-"allowed access, use <command>audit2allow</command> to create a local policy "
-"module."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"With a denial logged, such as the <computeroutput>certwatch</computeroutput> "
-"denial in step 1, run the <command>audit2allow -w -a</command> command to "
-"produce a human-readable description of why access was denied. The <option>-"
-"a</option> option causes all audit logs to be read. The <option>-w</option> "
-"option produces the human-readable description. The <command>audit2allow</"
-"command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as "
-"such, must be run as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "As shown, access was denied due to a missing Type Enforcement rule."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>audit2allow -a</command> command to view the Type "
-"Enforcement rule that allows the denied access:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Missing Type Enforcement rules are usually caused by bugs in SELinux policy, "
-"and should be reported in <ulink url=\"https://bugzilla.redhat.com/\">Red "
-"Hat Bugzilla</ulink>. For Fedora, create bugs against the "
-"<computeroutput>Fedora</computeroutput> product, and select the "
-"<computeroutput>selinux-policy</computeroutput> component. Include the "
-"output of the <command>audit2allow -w -a</command> and <command>audit2allow -"
-"a</command> commands in such bug reports."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To use the rule displayed by <command>audit2allow -a</command>, run the "
-"<command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command> "
-"command as the Linux root user to create custom module. The <option>-M</"
-"option> option creates a Type Enforcement file (<filename>.te</filename>) "
-"with the name specified with <option>-M</option>, in your current working "
-"directory:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Also, <command>audit2allow</command> compiles the Type Enforcement rule into "
-"a policy package (<filename>.pp</filename>). To install the module, run the "
-"<command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></"
-"command> command as the Linux root user."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Modules created with <command>audit2allow</command> may allow more access "
-"than required. It is recommended that policy created with "
-"<command>audit2allow</command> be posted to an SELinux list, such as <ulink "
-"url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-"
-"selinux-list</ulink>, for review. If you believe their is a bug in policy, "
-"create a bug in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat "
-"Bugzilla</ulink>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you have multiple denials from multiple processes, but only want to "
-"create a custom policy for a single process, use the <command>grep</command> "
-"command to narrow down the input for <command>audit2allow</command>. The "
-"following example demonstrates using <command>grep</command> to only send "
-"denials related to <command>certwatch</command> through "
-"<command>audit2allow</command>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html"
-"\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> blog "
-"entry for further information about using <command>audit2allow</command> to "
-"build policy modules."
-msgstr ""
+# SOME DESCRIPTIVE TITLE.
+# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: SELinux User Guide\n"
+"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
+"POT-Creation-Date: 2010-04-15T00:19:32\n"
+"PO-Revision-Date: 2010-11-20 13:29+0500\n"
+"Last-Translator: Alexey Cicin <daydrim at gmail.com>\n"
+"Language-Team: trans-ru <trans-ru at lists.fedoraproject.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Russian\n"
+"X-Poedit-Country: RUSSIAN FEDERATION\n"
+"X-Poedit-SourceCharset: utf-8\n"
+
+#. Tag: title
+#, no-c-format
+msgid "Troubleshooting"
+msgstr "ÐоиÑк и ÑÑÑÑанение неиÑпÑавноÑÑей"
+
+#. Tag: para
+#, no-c-format
+msgid "The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with <command>audit2allow</command>."
+msgstr "Ð ÑледÑÑÑей главе опиÑÑваеÑÑÑ, ÑÑо пÑоиÑÑ
одиÑ, когда SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп: пÑÐ¾Ð±Ð»ÐµÐ¼Ñ Ð² ÑеÑении вÑзÑваÑÑ ÑÑи оÑновнÑÑ
пÑиÑинÑ; где найÑи инÑоÑмаÑÐ¸Ñ Ð¾ пÑавилÑнÑÑ
меÑкаÑ
; анализ оÑказов доÑÑÑпа SELinux; и Ñоздание ÑпеÑиÑиÑеÑки наÑÑÑоеннÑÑ
модÑлей Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ <command>audit2allow</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "What Happens when Access is Denied"
+msgstr "ЧÑо пÑоиÑÑ
одиÑ, когда блокиÑÑеÑÑÑ Ð´Ð¾ÑÑÑп"
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as \"AVC denials\", and are logged to a different location, depending on which daemons are running:"
+msgstr "РеÑÐµÐ½Ð¸Ñ SELinux, Ñакие как пÑедоÑÑавление или блокиÑование доÑÑÑпа, кÑÑиÑÑÑÑÑÑ. ÐÑÐ¾Ñ ÐºÑÑ Ð½Ð°Ð·ÑваеÑÑÑ Access Vector Cache (AVC) или кÑÑ Ð²ÐµÐºÑоÑа доÑÑÑпа. СообÑÐµÐ½Ð¸Ñ Ð¾ блокиÑовании доÑÑÑпа, жÑÑналиÑÑÑÑÑÑ, когда SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп. ÐÑи оÑÐºÐ°Ð·Ñ Ð½Ð°Ð·ÑваÑÑÑÑ \"ÐлокиÑовками AVC\" или \"AVC denials\" и жÑÑналиÑÑеÑÑÑ Ð² ÑазлиÑнÑе ÑайлÑ, в завиÑимоÑÑи Ð¾Ñ Ñого, какой демон запÑÑен:"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Daemon"
+msgstr "Ðемон"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Log Location"
+msgstr "РаÑположение Ñайлов Ñ Ð¶ÑÑналами ÑобÑÑий"
+
+#. Tag: seg
+#, no-c-format
+msgid "auditd on"
+msgstr "auditd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/audit/audit.log</filename>"
+msgstr "<filename>/var/log/audit/audit.log</filename>"
+
+#. Tag: seg
+#, no-c-format
+msgid "auditd off; rsyslogd on"
+msgstr "auditd off; rsyslogd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/messages</filename>"
+msgstr "<filename>/var/log/messages</filename>"
+
+#. Tag: seg
+#, no-c-format
+msgid "setroubleshootd, rsyslogd, and auditd on"
+msgstr "setroubleshootd, rsyslogd, and auditd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/audit/audit.log</filename>. Easier-to-read denial messages also sent to <filename>/var/log/messages</filename>"
+msgstr "<filename>/var/log/audit/audit.log</filename>. ÐÑоÑе ÑиÑаÑÑ ÑообÑÐµÐ½Ð¸Ñ Ð¾ блокиÑовкаÑ
, дÑблиÑÑемÑе в <filename>/var/log/messages</filename>"
+
+#. Tag: para
+#, no-c-format
+msgid "If you are running the X Window System, have the <package>setroubleshoot</package> and <package>setroubleshoot-server</package> packages installed, and the <systemitem class=\"daemon\">setroubleshootd</systemitem> and <systemitem class=\"daemon\">auditd</systemitem> daemons are running, a warning is displayed when access is denied by SELinux:"
+msgstr "ÐÑли запÑÑена X Window System, а Ñакже ÑÑÑÐ°Ð½Ð¾Ð²Ð»ÐµÐ½Ñ Ð¿Ð°ÐºÐµÑÑ <package>setroubleshoot</package> и <package>setroubleshoot-server</package>, и Ð´ÐµÐ¼Ð¾Ð½Ñ <systemitem class=\"daemon\">setroubleshootd</systemitem> и <systemitem class=\"daemon\">auditd</systemitem> запÑÑенÑ, Ñо, когда SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп, оÑобÑажаеÑÑÑ Ð¿ÑедÑпÑеждение:"
+
+#. Tag: para
+#, no-c-format
+msgid "Clicking on 'Show' presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:"
+msgstr "ÐажаÑие на 'Show' показÑÐ²Ð°ÐµÑ Ð´ÐµÑалÑнÑй анализ пÑиÑин, поÑÐµÐ¼Ñ SELinux блокиÑовал доÑÑÑп, и возможное ÑеÑение Ð´Ð»Ñ Ð¾ÑкÑÑÑÐ¸Ñ Ð´Ð¾ÑÑÑпа. ÐÑли ÑиÑÑема X Window System не запÑÑена, ÑобÑÑие блокиÑовки доÑÑÑпа менее оÑевидно. ÐапÑимеÑ, полÑзоваÑели пÑоÑмаÑÑиваÑÑие веб-ÑÐ°Ð¹Ñ Ð¼Ð¾Ð³ÑÑ Ð¿Ð¾Ð»ÑÑиÑÑ Ð¾ÑÐ¸Ð±ÐºÑ Ð¿Ð¾Ñ
ожÑÑ, на показаннÑÑ Ð½Ð¸Ð¶Ðµ:"
+
+#. Tag: para
+#, no-c-format
+msgid "For these situations, if DAC rules (standard Linux permissions) allow access, check <filename>/var/log/messages</filename> and <filename>/var/log/audit/audit.log</filename> for <computeroutput>\"SELinux is preventing\"</computeroutput> and <computeroutput>\"denied\"</computeroutput> errors respectively. This can be done by running the following commands as the Linux root user:"
+msgstr "Ð ÑакиÑ
ÑиÑÑаÑиÑÑ
, еÑли пÑавила DAC (ÑÑандаÑÑнÑе ÑазÑеÑÐµÐ½Ð¸Ñ Linux) ÑазÑеÑаÑÑ Ð´Ð¾ÑÑÑп, пÑовеÑÑÑе ÑÐ°Ð¹Ð»Ñ <filename>/var/log/messages</filename> и <filename>/var/log/audit/audit.log</filename> на ÑобÑÑÐ¸Ñ <computeroutput>\"SELinux is preventing\"</computeroutput> и <computeroutput>\"denied\"</computeroutput>. ÐÑо можно вÑполниÑÑ, вÑполнив ÑледÑÑÑие ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
+msgstr "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>grep \"denied\" /var/log/audit/audit.log</command>"
+msgstr "<command>grep \"denied\" /var/log/audit/audit.log</command>"
+
+#. Tag: title
+#, no-c-format
+msgid "Top Three Causes of Problems"
+msgstr "ТÑи оÑновнÑе пÑиÑÐ¸Ð½Ñ Ð²Ð¾Ð·Ð½Ð¸ÐºÐ½Ð¾Ð²ÐµÐ½Ð¸Ñ Ð¿Ñоблем"
+
+#. Tag: para
+#, no-c-format
+msgid "The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules."
+msgstr "Ð ÑледÑÑÑиÑ
ÑазделаÑ
опиÑÑваÑÑÑÑ ÑÑи оÑновнÑе пÑиÑÐ¸Ð½Ñ Ð²Ð¾Ð·Ð½Ð¸ÐºÐ½Ð¾Ð²ÐµÐ½Ð¸Ñ Ð¿Ñоблем: пÑоблема меÑок, конÑигÑÑиÑование ÐÑлевÑÑ
знаÑений и поÑÑов Ð´Ð»Ñ ÑлÑжб; и оÑÑлеживание пÑавил SELinux."
+
+#. Tag: title
+#, no-c-format
+msgid "Labeling Problems"
+msgstr "ÐÑоблема ÐеÑок (пÑоблема маÑкиÑованиÑ)"
+
+#. Tag: para
+#, no-c-format
+msgid "On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files."
+msgstr "Ð ÑиÑÑемаÑ
Ñ Ð·Ð°Ð¿ÑÑеннÑм SELinux, вÑе пÑоÑеÑÑÑ Ð¸ ÑÐ°Ð¹Ð»Ñ Ð¼Ð°ÑкиÑÐ¾Ð²Ð°Ð½Ñ Ð¼ÐµÑками, коÑоÑÑе ÑодеÑÐ¶Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ ÐºÐ¾Ð½ÑекÑÑа безопаÑноÑÑи. ÐÑа инÑоÑмаÑÐ¸Ñ Ð½Ð°Ð·ÑваеÑÑÑ ÐºÐ¾Ð½ÑекÑÑом SELinux. ÐÑли ÑÑи меÑки некоÑÑекÑнÑ, доÑÑÑп Ð¼Ð¾Ð¶ÐµÑ Ð±Ð»Ð¾ÐºÐ¸ÑоваÑÑÑÑ. ÐÑли пÑиложение маÑкиÑовано некоÑÑекÑно, пÑоÑеÑÑ Ð² коÑоÑÑй оно пеÑеÑ
Ð¾Ð´Ð¸Ñ Ð¼Ð¾Ð¶ÐµÑ Ð¸Ð¼ÐµÑÑ Ð½ÐµÐºÐ¾ÑÑекÑнÑе меÑки, ÑÑо возможно пÑÐ¸Ð²ÐµÐ´ÐµÑ Ðº блокиÑÐ¾Ð²Ð°Ð½Ð¸Ñ Ð´Ð¾ÑÑÑпа SELinux, и Ñакой пÑоÑеÑÑ Ð¼Ð¾Ð¶ÐµÑ ÑоздаÑÑ Ð½ÐµÐºÐ¾ÑÑекÑно маÑкиÑованнÑе ÑайлÑ."
+
+#. Tag: para
+#, no-c-format
+msgid "A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using <filename>/var/www/html/</filename> for a website, an administrator wants to use <filename>/srv/myweb/</filename>. On Fedora &PRODVER;, the <filename>/srv/</filename> directory is labeled with the <computeroutput>var_t</computeroutput> type. Files and directories created and <filename>/srv/</filename> inherit this type. Also, newly-created top-level directories (such as <filename>/myserver/</filename>) may be labeled with the <computeroutput>default_t</computeroutput> type. SELinux prevents the Apache HTTP Server (<systemitem class=\"daemon\">httpd</systemitem>) from accessing both of these types. To allow access, SELinux must know that the files in <filename>/srv/myweb/</filename> are to be accessible to <systemitem class=\"daemon\">httpd</systemitem>:"
+msgstr "ÐÑÐ½Ð¾Ð²Ð½Ð°Ñ Ð¿ÑиÑина пÑоблем Ñ Ð¼Ð°ÑкиÑованием - ÑÑо иÑполÑзование неÑÑандаÑÑнÑÑ
каÑалогов Ð´Ð»Ñ ÑлÑжб. ÐапÑимеÑ, вмеÑÑо иÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ <filename>/var/www/html/</filename> Ð´Ð»Ñ Ð²ÐµÐ±ÑайÑа, админиÑÑÑаÑÐ¾Ñ Ð¼Ð¾Ð¶ÐµÑ Ð¸ÑполÑзоваÑÑ <filename>/srv/myweb/</filename> Ð Fedora &PRODVER;, каÑалог <filename>/srv/</filename> помеÑен Ñипом <computeroutput>var_t</computeroutput>. Ð¤Ð°Ð¹Ð»Ñ Ð¸ каÑалоги ÑоздаваемÑе в <filename>/srv/</filename> наÑледÑÑÑ ÑÑÐ¾Ñ Ñип. Также Ð²Ð½Ð¾Ð²Ñ ÑозданнÑе каÑалоги коÑневого ÑÑовнÑ, Ñакие как <filename>/myserver/</filename>, могÑÑ Ð±ÑÑÑ Ð¿Ð¾Ð¼ÐµÑÐµÐ½Ñ Ñипом <computeroutput>default_t</computeroutput>. SELinux пÑедоÑвÑаÑÐ°ÐµÑ Apache HTTP Server (<systemitem class=\"daemon\">httpd</systemit
em>) Ð¾Ñ Ð¿Ð¾Ð»ÑÑÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа к ÑÑим Ñипам. ÐÐ»Ñ Ð¿ÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа, SELinux должен знаÑÑ Ð¾ Ñом, ÑÑо ÑÐ°Ð¹Ð»Ñ Ð² <filename>/srv/myweb/</filename> доÑÑÑÐ¿Ð½Ñ <systemitem class=\"daemon\">httpd</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid "This <command>semanage</command> command adds the context for the <filename>/srv/myweb/</filename> directory (and all files and directories under it) to the SELinux file-context configuration<footnote> <para> Files in <filename>/etc/selinux/targeted/contexts/files/</filename> define contexts for files and directories. Files in this directory are read by <command>restorecon</command> and <command>setfiles</command> to restore files and directories to their default contexts. </para> </footnote>. The <command>semanage</command> command does not change the context. As the Linux root user, run the <command>restorecon</command> command to apply the changes:"
+msgstr "Ðоманда <command>semanage</command> добавлÑÐµÑ ÐºÐ¾Ð½ÑекÑÑ Ðº каÑÐ°Ð»Ð¾Ð³Ñ <filename>/srv/myweb/</filename> (и вÑем Ñайлам и каÑалогам в нÑм) к конÑигÑÑаÑии конÑекÑÑа SELinux<footnote> <para> Ð¤Ð°Ð¹Ð»Ñ Ð² <filename>/etc/selinux/targeted/contexts/files/</filename> опÑеделÑÑÑ ÐºÐ¾Ð½ÑекÑÑÑ Ð´Ð»Ñ Ñайлов и каÑалогов. Ð¤Ð°Ð¹Ð»Ñ Ð² ÑÑом каÑалоге ÑÑиÑÑваÑÑÑÑ <command>restorecon</command> и <command>setfiles</command> Ð´Ð»Ñ Ð²Ð¾ÑÑÑÐ°Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ ÐºÐ¾Ð½ÑекÑÑов к иÑ
знаÑениÑм по-ÑмоÑаниÑ. </para> </footnote>. Ðоманда <command>semanage</command> не изменÑÐµÑ ÐºÐ¾Ð½ÑекÑÑа. ÐÑ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>restorecon</command> Ð´Ð»Ñ Ð¿ÑÐ¸Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ð¹:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" /> for further information about adding contexts to the file-context configuration."
+msgstr "ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑи о добавлении конÑекÑÑов к конÑигÑÑаÑии доÑÑÑпна в Ñазделе <xref linkend=\"sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "What is the Correct Context?"
+msgstr "Ðак опÑеделиÑÑ Ð¿ÑавилÑнÑй конÑекÑÑ?"
+
+#. Tag: para
+#, no-c-format
+msgid "The <command>matchpathcon</command> command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using <command>matchpathcon</command> on a directory that contains incorrectly labeled files:"
+msgstr "Ðоманда <command>matchpathcon</command> пÑовеÑÑÐµÑ ÐºÐ¾Ð½ÑекÑÑ Ð´Ð»Ñ Ñайла и ÑвеÑÑÐµÑ Ñ ÐµÐ³Ð¾ конÑекÑÑом по ÑмолÑаниÑ. Ð ÑледÑÑÑем пÑимеÑе демонÑÑÑиÑÑеÑÑÑ Ð¸ÑполÑзование <command>matchpathcon</command> Ð´Ð»Ñ ÐºÐ°Ñалога, коÑоÑÑй ÑодеÑÐ¶Ð¸Ñ Ð½ÐµÐºÐ¾ÑÑекÑно маÑкиÑованнÑе ÑайлÑ:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, the <filename>index.html</filename> and <filename>page1.html</filename> files are labeled with the <computeroutput>user_home_t</computeroutput> type. This type is used for files in user home directories. Using the <command>mv</command> command to move files from your home directory may result in files being labeled with the <computeroutput>user_home_t</computeroutput> type. This type should not exist outside of home directories. Use the <command>restorecon</command> command to restore such files to their correct type:"
+msgstr "Ð ÑÑом пÑимеÑе ÑÐ°Ð¹Ð»Ñ <filename>index.html</filename> и <filename>page1.html</filename> помеÑÐµÐ½Ñ Ñипом <computeroutput>user_home_t</computeroutput>. ÐÑÐ¾Ñ Ñип иÑполÑзÑеÑÑÑ Ð´Ð»Ñ Ñайлов в домаÑниÑ
каÑалогаÑ
полÑзоваÑелей. ÐÑполÑзÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>mv</command> Ð´Ð»Ñ Ð¿ÐµÑемеÑÐµÐ½Ð¸Ñ Ñайлов из ваÑего домаÑнего каÑалога Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑивеÑÑи к ÑомÑ, ÑÑо ÑÐ°Ð¹Ð»Ñ Ð±ÑдÑÑ Ð¼Ð°ÑкиÑÐ¾Ð²Ð°Ð½Ñ Ñипом <computeroutput>user_home_t</computeroutput>. ÐÑÐ¾Ñ Ñип не должен ÑÑÑеÑÑвоваÑÑ Ð²Ð½Ðµ домаÑниÑ
каÑалогов. ÐÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>restorecon</command> Ð´Ð»Ñ Ð²Ð¾ÑÑÑÐ°Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ ÐºÐ¾ÑÑекÑного Ñипа ÑакиÑ
Ñайлов:"
+
+#. Tag: para
+#, no-c-format
+msgid "To restore the context for all files under a directory, use the <option>-R</option> option:"
+msgstr "ÐÐ»Ñ Ð²Ð¾ÑÑÑÐ°Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ ÐºÐ¾Ð½ÑекÑÑа вÑеÑ
Ñайлов в каÑалоге иÑполÑзÑйÑе опÑÐ¸Ñ <option>-R</option>:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" /> for a more detailed example of <command>matchpathcon</command>."
+msgstr "ÐополниÑелÑнÑе пÑимеÑÑ Ð¸ÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ <command>matchpathcon</command> доÑÑÑÐ¿Ð½Ñ Ð¿Ð¾ ÑÑÑлке: <xref linkend=\"sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "How are Confined Services Running?"
+msgstr "Ðак ÑабоÑаÑÑ Ð¾Ð³ÑаниÑеннÑе ÑлÑжбÑ?"
+
+#. Tag: para
+#, no-c-format
+msgid "Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the <command>semanage</command> command."
+msgstr "СлÑÐ¶Ð±Ñ Ð¼Ð¾Ð³ÑÑ ÑабоÑаÑÑ Ð² неÑколÑкиÑ
ÑежимаÑ
. ÐÐ»Ñ Ñого, ÑÑÐ¾Ð±Ñ Ð¾Ð±ÐµÑпеÑиÑÑ ÑежимÑ, необÑ
одимо ÑообÑиÑÑ SELinux как необÑ
одимо запÑÑкаÑÑ ÑлÑжбÑ. ÐÑо Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð´Ð¾ÑÑигнÑÑо ÑеÑез ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеменнÑе, коÑоÑÑе позволÑÑÑ ÑаÑÑÑм полиÑики SELinux изменÑÑÑÑÑ Ð² ÑабоÑем Ñежиме, без Ð¿Ð¾Ð½Ð¸Ð¼Ð°Ð½Ð¸Ñ Ð½Ð°Ð¿Ð¸ÑÐ°Ð½Ð¸Ñ Ð¿Ð¾Ð»Ð¸Ñики SELinux. ÐÑо позволÑÐµÑ Ð²Ð½Ð¾ÑиÑÑ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ, Ñакие, как доÑÑÑп к ÑайловÑм ÑиÑÑемам NFS, без пеÑегÑÑзки или ÑекомпилÑÑии полиÑики SELinux. Также запÑÑк ÑлÑжб на неÑÑандаÑÑном поÑÑÑ ÑÑебÑÐµÑ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ Ð¿Ð¾Ð»Ð¸Ñики Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "For example, to allow the Apache HTTP Server to communicate with MySQL, turn the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean on:"
+msgstr "ÐапÑÐ¸Ð¼ÐµÑ Ð´Ð»Ñ ÑазÑеÑÐµÐ½Ð¸Ñ Apache HTTP Server ÑвÑзÑваÑÑÑÑ Ñ MySQL, пеÑеклÑÑиÑе ÐÑлево знаÑение <computeroutput>httpd_can_network_connect_db</computeroutput> в ÑоÑÑоÑние вклÑÑено (on):"
+
+#. Tag: para
+#, no-c-format
+msgid "If access is denied for a particular service, use the <command>getsebool</command> and <command>grep</command> commands to see if any Booleans are available to allow access. For example, use the <command>getsebool -a | grep ftp</command> command to search for FTP related Booleans:"
+msgstr "ÐÑли доÑÑÑп заблокиÑован Ð´Ð»Ñ Ð¾Ð¿Ñеделенной ÑлÑжбÑ, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>getsebool</command> и <command>grep</command>, Ð´Ð»Ñ Ð¿ÑоÑмоÑÑа еÑÑÑ Ð»Ð¸ ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеменнÑе Ð´Ð»Ñ Ð¿ÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа. ÐапÑимеÑ, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>getsebool -a | grep ftp</command> Ð´Ð»Ñ Ð¿Ð¾Ð¸Ñка ÑооÑвеÑÑÑвÑÑÑиÑ
ÐÑлевÑÑ
знаÑений Ð´Ð»Ñ FTP:"
+
+#. Tag: para
+#, no-c-format
+msgid "For a list of Booleans and whether they are on or off, run the <command>/usr/sbin/getsebool -a</command> command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <command>/usr/sbin/semanage boolean -l</command> command as the Linux root user. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans\" /> for information about listing and configuring Booleans."
+msgstr "ÐÐ»Ñ Ð¿ÑоÑмоÑÑа ÐÑлевÑÑ
знаÑений и опÑÐµÐ´ÐµÐ»ÐµÐ½Ð¸Ñ Ð²ÐºÐ»ÑÑÐµÐ½Ñ Ð¾Ð½Ð¸ или вÑклÑÑенÑ, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>/usr/sbin/getsebool -a</command>. ÐÐ»Ñ Ð¿ÑоÑмоÑÑа ÑпиÑка ÐÑлевÑÑ
знаÑений и опÑÐµÐ´ÐµÐ»ÐµÐ½Ð¸Ñ Ð¸Ñ
назнаÑениÑ, а Ñакже иÑ
ÑоÑÑоÑниÑ, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>/usr/sbin/semanage boolean -l</command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root. ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ ÑпиÑкаÑ
и конÑигÑÑиÑовании ÐÑлевÑÑ
знаÑений доÑÑÑпна в Ñазделе: <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans\" />"
+
+#. Tag: title
+#, no-c-format
+msgid "Port Numbers"
+msgstr "ÐомеÑа поÑÑов"
+
+#. Tag: para
+#, no-c-format
+msgid "Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the <command>semanage port -l | grep http</command> command as the Linux root user to list <systemitem class=\"daemon\">http</systemitem> related ports:"
+msgstr "РзавиÑимоÑÑи Ð¾Ñ ÐºÐ¾Ð½ÑигÑÑаÑии полиÑики, ÑлÑжбам Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ ÑазÑеÑено ÑабоÑаÑÑ ÑолÑко на опÑеделенном диапазоне поÑÑов. ÐопÑÑка измениÑÑ Ð¿Ð¾ÑÑ ÑлÑÐ¶Ð±Ñ Ð±ÐµÐ· Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ Ð¿Ð¾Ð»Ð¸Ñики, Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑивеÑÑи к невозможноÑÑи запÑÑка ÑлÑжбÑ. ÐапÑимеÑ, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage port -l | grep http</command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root Ð´Ð»Ñ Ð¿ÑоÑмоÑÑа ÑазÑеÑеннÑÑ
поÑÑов оÑноÑÑÑиÑ
ÑÑ Ðº <systemitem class=\"daemon\">http</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput>http_port_t</computeroutput> port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures <filename>httpd.conf</filename> so that <systemitem class=\"daemon\">httpd</systemitem> listens on port 9876 (<option>Listen 9876</option>), but policy is not updated to reflect this, the <command>service httpd start</command> command fails:"
+msgstr "Тип поÑÑа <computeroutput>http_port_t</computeroutput> опÑеделÑÐµÑ Ð¿Ð¾ÑÑ, коÑоÑÑй Apache HTTP Server Ð¼Ð¾Ð¶ÐµÑ ÑлÑÑаÑÑ, коÑоÑÑе, в наÑем ÑлÑÑае, TCP 80, 443,488, 8008, 8009 и 8443. ÐÑли админиÑÑÑаÑÐ¾Ñ ÑконÑигÑÑиÑовал <filename>httpd.conf</filename> Ñак, ÑÑо <systemitem class=\"daemon\">httpd</systemitem> ÑлÑÑÐ°ÐµÑ Ð¿Ð¾ÑÑ 9876 (<option>Listen 9876</option>), но полиÑика не обновлена в ÑооÑвеÑÑÑвии Ñ ÑÑим изменением, Ñо команда <command>service httpd start</command> завеÑÑиÑÑÑ Ñ Ð¾Ñибкой:"
+
+#. Tag: para
+#, no-c-format
+msgid "An SELinux denial similar to the following is logged to <filename>/var/log/audit/audit.log</filename>:"
+msgstr "ÐÑказ в доÑÑÑпе SELinux бÑÐ´ÐµÑ ÑÑ
ож Ñо ÑледÑÑÑим ÑобÑÑием, запиÑаннÑм в <filename>/var/log/audit/audit.log</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "To allow <systemitem class=\"daemon\">httpd</systemitem> to listen on a port that is not listed for the <computeroutput>http_port_t</computeroutput> port type, run the <command>semanage port</command> command to add a port to policy configuration<footnote> <para> The <command>semanage port -a</command> command adds an entry to the <filename>/etc/selinux/targeted/modules/active/ports.local</filename> file. Note: by default, this file can only be viewed by the Linux root user. </para> </footnote>:"
+msgstr "ÐÐ»Ñ ÑазÑеÑÐµÐ½Ð¸Ñ <systemitem class=\"daemon\">httpd</systemitem> ÑлÑÑаÑÑ Ð¿Ð¾ÑÑ, коÑоÑÑй не пеÑеÑиÑлен в Ñипе <computeroutput>http_port_t</computeroutput>, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage port</command> Ð´Ð»Ñ Ð´Ð¾Ð±Ð°Ð²Ð»ÐµÐ½Ð¸Ñ Ð¿Ð¾ÑÑа в полиÑикÑ<footnote> <para> Ðоманда <command>semanage port -a</command> добавлÑÐµÑ Ð·Ð°Ð¿Ð¸ÑÑ Ð² Ñайл <filename>/etc/selinux/targeted/modules/active/ports.local</filename>. ÐÑимеÑание: по ÑмолÑаниÑ, ÑÑÐ¾Ñ Ñайл Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð¿ÑоÑмоÑÑен ÑолÑко полÑзоваÑелем root. </para> </footnote>:"
+
+#. Tag: para
+#, no-c-format
+msgid "The <option>-a</option> option adds a new record; the <option>-t</option> option defines a type; and the <option>-p</option> option defines a protocol. The last argument is the port number to add."
+msgstr "ÐпÑÐ¸Ñ <option>-a</option> добавлÑÐµÑ Ð½Ð¾Ð²ÑÑ Ð·Ð°Ð¿Ð¸ÑÑ; опÑÐ¸Ñ <option>-t</option> опÑеделÑÐµÑ Ñип, а опÑÐ¸Ñ <option>-p</option> опÑеделÑÐµÑ Ð¿ÑоÑокол. ÐоÑледний аÑгÑÐ¼ÐµÐ½Ñ - ÑÑо Ð½Ð¾Ð¼ÐµÑ Ð´Ð¾Ð±Ð°Ð²Ð»Ñемого поÑÑа."
+
+#. Tag: title
+#, no-c-format
+msgid "Evolving Rules and Broken Applications"
+msgstr "Ð Ð°Ð·Ð±Ð¾Ñ Ð¿Ñавил и наÑÑÑÐµÐ½Ð½Ð°Ñ ÑабоÑа пÑиложений"
+
+#. Tag: para
+#, no-c-format
+msgid "Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving - SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed."
+msgstr "РабоÑа пÑÐ¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð½Ð°ÑÑÑена, по пÑиÑине блокиÑовок доÑÑÑпа SELinux. Такие пÑавила SELinux необÑ
одимо ÑазбиÑаÑÑ Ð´ÐµÑалÑно - SELinux Ð¼Ð¾Ð¶ÐµÑ Ð½Ðµ опÑеделÑÑÑ Ð¿Ñиложение ÑабоÑаÑÑее по Ñвоим пÑавилам, даже еÑли пÑиложение ÑабоÑÐ°ÐµÑ Ð² ÑÑаÑном Ñежиме. ÐапÑимеÑ, еÑли вÑпÑÑена Ð½Ð¾Ð²Ð°Ñ Ð²ÐµÑÑÐ¸Ñ PostgreSQL, она Ð¼Ð¾Ð¶ÐµÑ Ð²ÑполнÑÑÑ Ð´ÐµÐ¹ÑÑвиÑ, о коÑоÑÑÑ
ÑекÑÑÐ°Ñ Ð¿Ð¾Ð»Ð¸Ñика SELinux не знаеÑ, пÑÐ¸Ð²Ð¾Ð´Ñ Ðº оÑÐºÐ°Ð·Ñ Ð² доÑÑÑпе, даже еÑли доÑÑÑп должен бÑÑÑ Ð¿ÑедоÑÑавлен."
+
+#. Tag: para
+#, no-c-format
+msgid "For these situations, after access is denied, use <command>audit2allow</command> to create a custom policy module to allow access. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow\" /> for information about using <command>audit2allow</command>."
+msgstr "ÐÐ»Ñ ÑакиÑ
ÑиÑÑаÑий, еÑли доÑÑÑп блокиÑован, иÑполÑзÑйÑе <command>audit2allow</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ ÑпеÑиÑиÑного модÑÐ»Ñ Ð¿Ð¾Ð»Ð¸Ñики Ð´Ð»Ñ Ð¿ÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа. ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾Ð± иÑполÑзовании <command>audit2allow</command> доÑÑÑпна в Ñазделе <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "Fixing Problems"
+msgstr "УÑÑÑанение пÑоблем"
+
+#. Tag: para
+#, no-c-format
+msgid "The following sections help troubleshoot issues. They go over: checking Linux permissions, which are checked before SELinux rules; possible causes of SELinux denying access, but no denials being logged; manual pages for services, which contain information about labeling and Booleans; permissive domains, for allowing one process to run permissive, rather than the whole system; how to search for and view denial messages; analyzing denials; and creating custom policy modules with <command>audit2allow</command>."
+msgstr "Ð ÑледÑÑÑиÑ
ÑазделаÑ
ÑаÑÑмаÑÑиваÑÑÑÑ Ð²Ð¾Ð¿ÑоÑÑ Ð¿Ð¾Ð¸Ñка и ÑÑÑÑÐ°Ð½ÐµÐ½Ð¸Ñ Ð½ÐµÐ¸ÑпÑавноÑÑей и пÑоблем. РниÑ
ÑаÑÑмаÑÑиваеÑÑÑ: пÑовеÑка ÑазÑеÑений Linux, ÑÑо должно пÑовеÑÑÑÑÑÑ Ð¿ÐµÑед пÑавилами SELinux; возможнÑе пÑиÑÐ¸Ð½Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовки доÑÑÑпа SELinux, Ñ ÑÑловием оÑÑÑÑÑÑÐ²Ð¸Ñ ÑообÑений в лог-ÑайлаÑ
; ÑÑÑаниÑÑ ÑÑководÑÑва (manual pages) Ð´Ð»Ñ ÑлÑжб, коÑоÑÑе ÑодеÑÐ¶Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ меÑкаÑ
и ÐÑлевÑÑ
знаÑениÑÑ
; ÑазÑеÑеннÑе (permissive) доменÑ, Ð´Ð»Ñ ÑазÑеÑÐµÐ½Ð¸Ñ Ð¾Ð´Ð½Ð¾Ð¼Ñ Ð¿ÑоÑеÑÑÑ ÑабоÑаÑÑ Ð² ÑазÑеÑиÑелÑном Ñежиме, а не ÑолÑко вÑей ÑиÑÑеме Ñелеком; ÑпоÑÐ¾Ð±Ñ Ð¿Ð¾Ð¸Ñка и пÑоÑмоÑÑа ÑообÑени
й об оÑказаÑ
в доÑÑÑпе; анализ оÑказов в доÑÑÑпе; и Ñоздание индивидÑалÑнÑÑ
модÑлей полиÑики Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ <command>audit2allow</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "Linux Permissions"
+msgstr "РазÑеÑÐµÐ½Ð¸Ñ Linux"
+
+#. Tag: para
+#, no-c-format
+msgid "When access is denied, check standard Linux permissions. As mentioned in <xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, most operating systems use a Discretionary Access Control (DAC) system to control access, allowing users to control the permissions of files that they own. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first."
+msgstr "ÐÑли доÑÑÑп блокиÑÑеÑÑÑ, пÑовеÑÑÑе ÑÑандаÑÑнÑе ÑазÑеÑÐµÐ½Ð¸Ñ Linux. Ðак ÑпоминаеÑÑÑ Ð² <xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, болÑÑинÑÑво опеÑаÑионнÑÑ
ÑиÑÑем иÑполÑзÑÐµÑ ÐиÑкÑеÑионнÑй ÐонÑÑÐ¾Ð»Ñ ÐоÑÑÑпа Discretionary Access Control (DAC) Ð´Ð»Ñ ÑпÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпом, позволÑÑ Ð¿Ð¾Ð»ÑзоваÑелÑм конÑÑолиÑоваÑÑ ÑазÑеÑÐµÐ½Ð¸Ñ Ð½Ð°Ð´ Ñайлами, коÑоÑÑми они владеÑÑ. ÐÑавила полиÑики SELinux пÑовеÑÑÑÑÑÑ Ð¿Ð¾Ñле пÑавил DAC. ÐÑавила полиÑики SELinux не иÑполÑзÑÑÑÑÑ, еÑли пÑавила DAC блокиÑовали доÑÑÑп пеÑвÑми."
+
+#. Tag: para
+#, no-c-format
+msgid "If access is denied and no SELinux denials are logged, use the <command>ls -l</command> command to view the standard Linux permissions:"
+msgstr "ÐÑли доÑÑÑп блокиÑован и Ð½ÐµÑ Ð½Ð¸ÐºÐ°ÐºÐ¸Ñ
ÑообÑений о блокиÑовкаÑ
SELinux, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>ls -l</command> Ð´Ð»Ñ Ð¿ÑоÑмоÑÑа ÑÑандаÑÑнÑÑ
ÑазÑеÑений Linux:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, <filename>index.html</filename> is owned by the root user and group. The root user has read and write permissions (<computeroutput>-rw</computeroutput>), and members of the root group have read permissions (<computeroutput>-r-</computeroutput>). Everyone else has no access (<computeroutput>---</computeroutput>). By default, such permissions do not allow <systemitem class=\"daemon\">httpd</systemitem> to read this file. To resolve this issue, use the <command>chown</command> command to change the owner and group. This command must be run as the Linux root user:"
+msgstr "Ð ÑÑом пÑимеÑе, владелÑÑем Ñайла <filename>index.html</filename> ÑвлÑеÑÑÑ Ð¿Ð¾Ð»ÑзоваÑÐµÐ»Ñ Ð¸ гÑÑппа root. У полÑзоваÑÐµÐ»Ñ root еÑÑÑ Ð¿Ñава на ÑÑение и запиÑÑ (<computeroutput>-rw</computeroutput>), и Ñ Ñленов гÑÑÐ¿Ð¿Ñ root еÑÑÑ ÑазÑеÑение на ÑÑение (<computeroutput>-r-</computeroutput>). У гÑÑÐ¿Ð¿Ñ Everyone Ð½ÐµÑ Ð´Ð¾ÑÑÑпа (<computeroutput>---</computeroutput>). Ðо ÑмолÑаниÑ, Ñакие ÑазÑеÑÐµÐ½Ð¸Ñ Ð½Ðµ ÑазÑеÑаÑÑ <systemitem class=\"daemon\">httpd</systemitem> ÑиÑаÑÑ ÑÑÐ¾Ñ Ñайл. ÐÐ»Ñ ÑеÑÐµÐ½Ð¸Ñ ÑÑой пÑоблемÑ, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>chown</command> Ð´Ð»Ñ ÑÐ¼ÐµÐ½Ñ Ð²Ð»Ð°Ð´ÐµÐ»ÑÑа и гÑÑппÑ. ÐÑа команда должна бÑÑÑ Ð²Ñполнена Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root:"
+
+#. Tag: para
+#, no-c-format
+msgid "This assumes the default configuration, in which <systemitem class=\"daemon\">httpd</systemitem> runs as the Linux apache user. If you run <systemitem class=\"daemon\">httpd</systemitem> with a different user, replace <computeroutput>apache:apache</computeroutput> with that user."
+msgstr "ÐаннÑе дейÑÑÐ²Ð¸Ñ Ð¿Ð¾Ð´ÑазÑмеваÑÑ ÐºÐ¾Ð½ÑигÑÑаÑÐ¸Ñ Ð¿Ð¾ ÑмолÑаниÑ, в коÑоÑой <systemitem class=\"daemon\">httpd</systemitem> ÑабоÑÐ°ÐµÑ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ apache. ÐÑли <systemitem class=\"daemon\">httpd</systemitem> запÑÑкаеÑÑÑ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ дÑÑгого полÑзоваÑелÑ, замениÑе <computeroutput>apache:apache</computeroutput> на ÑÑого полÑзоваÑелÑ."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions\"</ulink> draft for information about managing Linux permissions."
+msgstr "ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾Ð± ÑпÑавлении ÑазÑеÑениÑми Linux доÑÑÑпна по ÑÑÑлке <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions\"</ulink>."
+
+#. Tag: title
+#, no-c-format
+msgid "Possible Causes of Silent Denials"
+msgstr "ÐозможнÑе пÑиÑÐ¸Ð½Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовок без оповеÑениÑ"
+
+#. Tag: para
+#, no-c-format
+msgid "In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using <computeroutput>dontaudit</computeroutput> rules. These rules are common in standard policy. The downside of <computeroutput>dontaudit</computeroutput> is that, although SELinux denies access, denial messages are not logged, making troubleshooting hard."
+msgstr "РнекоÑоÑÑÑ
ÑиÑÑаÑиÑÑ
, блокиÑовки AVC могÑÑ Ð½Ðµ жÑÑналиÑоваÑÑÑÑ, когда SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп. ÐÑÐ¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ Ð¸ ÑÑнкÑии ÑиÑÑемнÑÑ
библиоÑек ÑаÑÑо ÑÑебÑÑÑ Ð±Ð¾Ð»ÑÑего доÑÑÑпа, Ñем нÑжно, Ð´Ð»Ñ Ð²ÑÐ¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ ÑвоиÑ
задаÑ. ÐÐ»Ñ Ð¿Ð¾Ð´Ð´ÐµÑжки минималÑнÑÑ
доÑÑÑпов без Ð·Ð°Ð¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ Ð¶ÑÑналов аÑдиÑа, блокиÑовками AVC о безвÑеднÑÑ
запÑоÑаÑ
пÑиложений, полиÑика Ð¼Ð¾Ð¶ÐµÑ Ð²ÑполнÑÑÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки AVC без ÑообÑений, не ÑазÑеÑÐ°Ñ Ð´Ð¾ÑÑÑп, иÑполÑзÑÑ Ð¿Ñавила <computeroutput>dontaudit</computeroutput>. ÐÑи пÑавила обÑие в ÑÑандаÑÑной полиÑике. ÐлоÑ
Ð°Ñ ÑÑоÑона <computeroutput>dontaudit</computeroutput> заклÑÑаеÑÑÑ Ð² ÑÐ
¾Ð¼, ÑÑо, Ñ
оÑÑ SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп, ÑообÑÐµÐ½Ð¸Ñ Ð¾ блокиÑовке не жÑÑналиÑÑÑÑÑÑ, Ñаким обÑазом, Ð´ÐµÐ»Ð°Ñ ÑÐ°Ð·Ð±Ð¾Ñ Ð¸ ÑÑÑÑанение оÑибок ÑложнÑм."
+
+#. Tag: para
+#, no-c-format
+msgid "To temporarily disable <computeroutput>dontaudit</computeroutput> rules, allowing all denials to be logged, run the following command as the Linux root user:"
+msgstr "ÐÐ»Ñ Ð²Ñеменного оÑклÑÑÐµÐ½Ð¸Ñ Ð¿Ñавил <computeroutput>dontaudit</computeroutput>, позволÑÑÑим вÑем блокиÑовкам жÑÑналиÑоваÑÑÑÑ, вÑполниÑе ÑледÑÑÑÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semodule -DB</command>"
+msgstr "<command>/usr/sbin/semodule -DB</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "The <option>-D</option> option disables <computeroutput>dontaudit</computeroutput> rules; the <option>-B</option> option rebuilds policy. After running <command>semodule -DB</command>, try exercising the application that was encountering permission problems, and see if SELinux denials — relevant to the application — are now being logged. Take care in deciding which denials should be allowed, as some should be ignored and handled via <computeroutput>dontaudit</computeroutput> rules. If in doubt, or in search of guidance, contact other SELinux users and developers on an SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>."
+msgstr "ÐпÑÐ¸Ñ <option>-D</option> оÑклÑÑÐ°ÐµÑ Ð¿Ñавила <computeroutput>dontaudit</computeroutput>; опÑÐ¸Ñ <option>-B</option> пеÑеÑÑÑÐ°Ð¸Ð²Ð°ÐµÑ Ð¿Ð¾Ð»Ð¸ÑикÑ. ÐоÑле вÑÐ¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semodule -DB</command>, попÑобÑйÑе изÑÑиÑÑ Ð¿Ñиложение, вÑÑÑеÑаÑÑее пÑÐ¾Ð±Ð»ÐµÐ¼Ñ Ð² ÑазÑеÑениÑÑ
и пÑоÑмоÑÑиÑе блокиÑовки SELinux — оÑноÑÑÑиеÑÑ Ðº пÑÐ¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ —, коÑоÑÑе ÑепеÑÑ ÑодеÑжаÑÑÑ Ð² лог-ÑайлаÑ
. ÐозабоÑÑÑеÑÑ Ð¾ пÑинÑÑии ÑеÑений, какие пÑавила ÑазÑеÑиÑÑ, а какие пÑоигноÑиÑоваÑÑ ÑеÑез пÑавила <computeroutput>dontaudit</computeroutput>. ÐÑли еÑÑÑ ÑÐ¾Ð¼Ð½ÐµÐ½Ð¸Ñ Ð¸Ð»Ð¸ ÑÑебÑеÑÑÑ ÑовеÑ, ÑвÑжиÑеÑÑ Ñ Ð¿Ð¾Ð»ÑзоваÑелÑми и ÑазÑабоÑÑиками SELinux: <ulink url=\"
http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>."
+
+#. Tag: para
+#, no-c-format
+msgid "To rebuild policy and enable <computeroutput>dontaudit</computeroutput> rules, run the following command as the Linux root user:"
+msgstr "ÐÐ»Ñ Ð¿ÐµÑеÑÑÑойки полиÑики и вклÑÑÐµÐ½Ð¸Ñ Ð¿Ñавил <computeroutput>dontaudit</computeroutput>, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semodule -B</command>"
+msgstr "<command>/usr/sbin/semodule -B</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "This restores the policy to its original state. For a full list of <computeroutput>dontaudit</computeroutput> rules, run the <command>sesearch --dontaudit</command> command. Narrow down searches using the <option>-s <replaceable>domain</replaceable></option> option and the <command>grep</command> command. For example:"
+msgstr "ÐÐ°Ð½Ð½Ð°Ñ ÐºÐ¾Ð¼Ð°Ð½Ð´Ð° воÑÑÑÐ°Ð½Ð°Ð²Ð»Ð¸Ð²Ð°ÐµÑ Ð¿Ð¾Ð»Ð¸ÑÐ¸ÐºÑ Ðº ÐµÑ Ð¸ÑÑ
Ð¾Ð´Ð½Ð¾Ð¼Ñ ÑоÑÑоÑниÑ. ÐÐ»Ñ Ð²Ñвода вÑеÑ
пÑавил <computeroutput>dontaudit</computeroutput>, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sesearch --dontaudit</command>. СÑзиÑÑ Ð¿Ð¾Ð¸Ñк можно Ñ Ð¸ÑполÑзованием опÑии <option>-s <replaceable>domain</replaceable></option> и ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>grep</command>. ÐапÑимеÑ:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" /> for information about analyzing denials."
+msgstr "ÐнÑоÑмаÑÐ¸Ñ Ð¾Ð± анализе блокиÑовок доÑÑÑпна в ÑазделаÑ
: <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "Manual Pages for Services"
+msgstr "CÑÑаниÑÑ ÑÑководÑÑва (manual pages) Ð´Ð»Ñ ÑлÑжб"
+
+#. Tag: para
+#, no-c-format
+msgid "Manual pages for services contain valuable information, such as what file type to use for a given situation, and Booleans to change the access a service has (such as <systemitem class=\"daemon\">httpd</systemitem> accessing NFS file systems). This information may be in the standard manual page, or a manual page with <computeroutput>selinux</computeroutput> prepended or appended."
+msgstr "СÑÑаниÑÑ ÑÑководÑÑва Ð´Ð»Ñ ÑлÑжб ÑодеÑÐ¶Ð°Ñ Ð²Ð°Ð¶Ð½ÑÑ Ð¸Ð½ÑоÑмаÑиÑ, ÑакÑÑ ÐºÐ°Ðº, какой Ñип Ñайла иÑполÑзÑеÑÑÑ Ð² опÑеделенной ÑиÑÑаÑии, и какие ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеменнÑе необÑ
одимо измениÑÑ Ð´Ð»Ñ Ð¿ÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа ÑлÑжбе (Ñакой как <systemitem class=\"daemon\">httpd</systemitem>, полÑÑаÑÑей доÑÑÑп к ÑайловÑм ÑиÑÑемам NFS). ÐнÑоÑмаÑÐ¸Ñ Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð² ÑÑандаÑÑной ÑÑÑаниÑе ÑÑководÑÑва или ÑÑÑаниÑе ÑÑководÑÑва Ñ Ð´Ð¾Ð±Ð°Ð²Ð»ÐµÐ½Ð½Ñм Ñазделом <computeroutput>selinux</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "For example, the"
+msgstr "ÐапÑимеÑ, ÑÑÑаниÑа ÑÑководÑÑва"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "httpd_selinux"
+msgstr "httpd_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page has information about what file type to use for a given situation, as well as Booleans to allow scripts, sharing files, accessing directories inside user home directories, and so on. Other manual pages with SELinux information for services include:"
+msgstr "ÑодеÑÐ¶Ð¸Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, какой Ñип Ñайла иÑполÑзÑеÑÑÑ, какие ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеменнÑе ÑазÑеÑаÑÑ ÑкÑипÑÑ, пÑбликаÑÐ¸Ñ Ñайлов, доÑÑÑп к каÑалогам внÑÑÑи домаÑниÑ
каÑалогов и Ñак далее. ÐÑÑгие ÑÑÑаниÑÑ ÑÑководÑÑва Ñ Ð¸Ð½ÑоÑмаÑией о SELinux Ð´Ð»Ñ ÑлÑжб вклÑÑаÑÑ:"
+
+#. Tag: para
+#, no-c-format
+msgid "Samba: the"
+msgstr "Samba: ÑÑÑаниÑа ÑÑководÑÑва"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "samba_selinux"
+msgstr "samba_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that files and directories to be exported via Samba must be labeled with the <computeroutput>samba_share_t</computeroutput> type, as well as Booleans to allow files labeled with types other than <computeroutput>samba_share_t</computeroutput> to be exported via Samba."
+msgstr "ÑодеÑÐ¶Ð¸Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ ÑайлаÑ
и каÑалогаÑ
, коÑоÑÑе могÑÑ Ð±ÑÑÑ ÑкÑпоÑÑиÑÐ¾Ð²Ð°Ð½Ñ ÑеÑез ÑамбÑ, помеÑеннÑе Ñипом <computeroutput>samba_share_t</computeroutput>, а Ñакже о ÐÑлевÑÑ
пеÑеменнÑÑ
, ÑазÑеÑаÑÑиÑ
ÑкÑпоÑÑиÑоваÑÑ ÑеÑез Samba ÑÐ°Ð¹Ð»Ñ Ð¿Ð¾Ð¼ÐµÑеннÑе Ñипом оÑлиÑнÑм Ð¾Ñ <computeroutput>samba_share_t</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "NFS: the"
+msgstr "NFS: ÑÑÑаниÑа ÑÑководÑÑва"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "nfs_selinux"
+msgstr "nfs_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that, by default, file systems can not be exported via NFS, and that to allow file systems to be exported, Booleans such as <computeroutput>nfs_export_all_ro</computeroutput> or <computeroutput>nfs_export_all_rw</computeroutput> must be turned on."
+msgstr "ÑодеÑÐ¶Ð¸Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, ÑÑо по ÑмолÑÐ°Ð½Ð¸Ñ ÑайловÑе ÑиÑÑÐµÐ¼Ñ Ð½Ðµ могÑÑ Ð±ÑÑÑ ÑкÑпоÑÑиÑÐ¾Ð²Ð°Ð½Ñ ÑеÑез NFS; и Ð´Ð»Ñ ÑазÑеÑÐµÐ½Ð¸Ñ ÑкÑпоÑÑа ÑайловÑÑ
ÑиÑÑем, ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеменнÑе, Ñакие как <computeroutput>nfs_export_all_ro</computeroutput> или <computeroutput>nfs_export_all_rw</computeroutput> Ð´Ð¾Ð»Ð¶Ð½Ñ Ð±ÑÑÑ Ð²ÐºÐ»ÑÑенÑ."
+
+#. Tag: para
+#, no-c-format
+msgid "Berkeley Internet Name Domain (BIND): the"
+msgstr "Berkeley Internet Name Domain (BIND): ÑÑÑаниÑа ÑÑководÑÑва"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "named"
+msgstr "named"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes what file type to use for a given situation (see the <computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> section). The"
+msgstr "ÑодеÑÐ¶Ð¸Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, какой Ñип Ñайла иÑполÑзÑеÑÑÑ Ð² данной ÑиÑÑаÑии (Ñаздел <computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> section). СÑÑаниÑа ÑÑководÑÑва"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "named_selinux"
+msgstr "named_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that, by default, <systemitem class=\"daemon\">named</systemitem> can not write to master zone files, and to allow such access, the <computeroutput>named_write_master_zones</computeroutput> Boolean must be turned on."
+msgstr "ÑодеÑÐ¶Ð¸Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, ÑÑо по ÑмолÑаниÑ, <systemitem class=\"daemon\">named</systemitem> не Ð¼Ð¾Ð¶ÐµÑ Ð¾ÑÑÑеÑÑвлÑÑÑ Ð·Ð°Ð¿Ð¸ÑÑ Ð² ÑÐ°Ð¹Ð»Ñ Ð·Ð¾Ð½, и Ð´Ð»Ñ ÑазÑеÑÐµÐ½Ð¸Ñ Ñакого доÑÑÑпа ÐÑлева пеÑÐµÐ¼ÐµÐ½Ð½Ð°Ñ <computeroutput>named_write_master_zones</computeroutput> должна бÑÑÑ Ð²ÐºÐ»ÑÑена."
+
+#. Tag: para
+#, no-c-format
+msgid "The information in manual pages helps you configure the correct file types and Booleans, helping to prevent SELinux from denying access."
+msgstr "ÐнÑоÑмаÑÐ¸Ñ Ð² ÑÑÑаниÑаÑ
ÑÑководÑÑва Ð¿Ð¾Ð¼Ð¾Ð³Ð°ÐµÑ Ð½Ð°ÑÑÑоиÑÑ ÐºÐ¾ÑÑекÑнÑе ÑÐ¸Ð¿Ñ Ñайлов и ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеклÑÑаÑели, пÑедоÑвÑаÑÐ°Ñ SELinux Ð¾Ñ Ð±Ð»Ð¾ÐºÐ¸ÑÐ¾Ð²Ð°Ð½Ð¸Ñ Ð´Ð¾ÑÑÑпа."
+
+#. Tag: title
+#, no-c-format
+msgid "Permissive Domains"
+msgstr "РазÑеÑаÑÑие Ð´Ð¾Ð¼ÐµÐ½Ñ (Permissive Domains)"
+
+#. Tag: para
+#, no-c-format
+msgid "When SELinux is running in permissive mode, SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Previously, it was not possible to make a single domain permissive (remember: processes run in domains). In certain situations, this led to making the whole system permissive to troubleshoot issues."
+msgstr "Ðогда SELinux запÑÑен в ÑазÑеÑаÑÑем Ñежиме, SELinux не блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп, но блокиÑовки жÑÑналиÑÑÑÑÑÑ ÐºÐ°Ðº дейÑÑвиÑ, коÑоÑÑе бÑли Ð±Ñ Ð±Ð»Ð¾ÐºÐ¸ÑованÑ, еÑли запÑÑен пÑинÑдиÑелÑнÑй Ñежим. РанÑÑе, не бÑло возможноÑÑи ÑделаÑÑ Ð¾Ð¿ÑеделеннÑй домен ÑазÑеÑаÑÑим (помниÑе: пÑоÑеÑÑÑ Ð·Ð°Ð¿ÑÑкаÑÑÑÑ Ð² доменаÑ
). РнекоÑоÑÑÑ
ÑиÑÑаÑиÑÑ
, ÑÑо Ð²ÐµÐ´ÐµÑ Ðº ÑомÑ, ÑÑÐ¾Ð±Ñ ÑделаÑÑ Ð²ÑÑ ÑиÑÑÐµÐ¼Ñ ÑазÑеÑаÑÑей Ð´Ð»Ñ Ð´Ð¸Ð°Ð³Ð½Ð¾ÑÑики и иÑпÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð¾Ñибок."
+
+#. Tag: para
+#, no-c-format
+msgid "Fedora &PRODVER; includes permissive domains, where an administrator can configure a single process (domain) to run permissive, rather than making the whole system permissive. SELinux checks are still performed for permissive domains; however, the kernel allows access and reports an AVC denial for situations where SELinux would have denied access. Permissive domains are also available in Fedora 9 (with the latest updates applied)."
+msgstr "Fedora &PRODVER; вклÑÑÐ°ÐµÑ ÑазÑеÑаÑÑие доменÑ, где админиÑÑÑаÑÐ¾Ñ Ð¼Ð¾Ð¶ÐµÑ ÑконÑигÑÑиÑоваÑÑ Ð¾Ð¿ÑеделеннÑй пÑоÑеÑÑ (домен) Ð´Ð»Ñ Ð·Ð°Ð¿ÑÑка в ÑазÑеÑаÑÑем Ñежиме, вмеÑÑо Ñого, ÑÑÐ¾Ð±Ñ Ð²ÑÑ ÑиÑÑÐµÐ¼Ñ Ð¿ÐµÑевеÑÑи в ÑазÑеÑаÑÑий Ñежим. SELinux вÑÑ Ñавно вÑполнÑÐµÑ Ð¿ÑовеÑки ÑазÑеÑаÑÑиÑ
доменов; однако, ÑдÑо пÑедоÑÑавлÑÐµÑ Ð´Ð¾ÑÑÑп и ÑообÑÐ°ÐµÑ AVC об оÑказаÑ
в доÑÑÑпе, когда SELinux блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп. РазÑеÑаÑÑие Ð´Ð¾Ð¼ÐµÐ½Ñ Ð´Ð¾ÑÑÑÐ¿Ð½Ñ Ñакже и в Fedora 9 (Ñ ÑÑÑановленнÑми поÑледними обновлениÑми)."
+
+#. Tag: para
+#, no-c-format
+msgid "In Red Hat Enterprise Linux 4 and 5, <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> Booleans are available to prevent an application from transitioning to a confined domain, and therefore, the process runs in an unconfined domain, such as <computeroutput>initrc_t</computeroutput>. Turning such Booleans on can cause major problems. For example, if the <computeroutput>httpd_disable_trans</computeroutput> Boolean is turned on:"
+msgstr "Ð Red Hat Enterprise Linux 4 and 5, доÑÑÑÐ¿Ð½Ñ ÐÑÐ»ÐµÐ²Ñ Ð¿ÐµÑеклÑÑаÑели <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> Ð´Ð»Ñ Ð¿ÑедоÑвÑаÑÐµÐ½Ð¸Ñ Ð¿Ñиложений вÑÐ¿Ð¾Ð»Ð½ÐµÐ½Ð¸Ñ Ð¿ÐµÑеÑ
одов (transitions) в огÑаниÑеннÑй домен, кÑоме Ñого, пÑоÑеÑÑ, запÑÑкаеÑÑÑ Ð² неогÑаниÑенном домене, Ñаком как <computeroutput>initrc_t</computeroutput>. ÐаÑÑÑойка подобнÑÑ
ÐÑлевÑÑ
знаÑений Ð¼Ð¾Ð¶ÐµÑ Ð¿ÑивеÑÑи к Ð²Ð¾Ð·Ð½Ð¸ÐºÐ½Ð¾Ð²ÐµÐ½Ð¸Ñ Ð·Ð½Ð°ÑиÑелÑнÑÑ
пÑоблем. ÐапÑимеÑ, еÑли ÐÑлево знаÑение <computeroutput>httpd_disable_trans</computeroutput> вклÑÑено:"
+
+#. Tag: para
+#, no-c-format
+msgid "<systemitem class=\"daemon\">httpd</systemitem> runs in the unconfined <computeroutput>initrc_t</computeroutput> domain. Files created by processes running in the <computeroutput>initrc_t</computeroutput> domain may not have the same labeling rules applied as files created by a process running in the <computeroutput>httpd_t</computeroutput> domain, potentially allowing processes to create mislabeled files. This causes access problems later on."
+msgstr "<systemitem class=\"daemon\">httpd</systemitem> запÑÑÑиÑÑÑ Ð² неогÑаниÑенном <computeroutput>initrc_t</computeroutput> домене. Ð¤Ð°Ð¹Ð»Ñ ÑозданнÑе Ñаким пÑоÑеÑÑом, запÑÑенном в <computeroutput>initrc_t</computeroutput> домене, могÑÑ Ð½Ðµ полÑÑиÑÑ Ð¼ÐµÑок безопаÑноÑÑи, коÑоÑÑе полÑÑÐ°Ñ ÑайлÑ, ÑозданнÑе в домене <computeroutput>httpd_t</computeroutput>, поÑенÑиалÑно позволÑÑ Ð¿ÑоÑеÑÑам ÑоздаваÑÑ Ð½ÐµÐºÐ¾ÑÑекÑно пÑомаÑкиÑованнÑе ÑайлÑ. РдалÑнейÑем Ñакие ÑиÑÑаÑии вÑзÑваÑÑ Ð¿ÑоблемÑ."
+
+#. Tag: para
+#, no-c-format
+msgid "confined domains that are allowed to communicate with <computeroutput>httpd_t</computeroutput> can not communicate with <computeroutput>initrc_t</computeroutput>, possibly causing additional failures."
+msgstr "огÑаниÑеннÑй доменÑ, коÑоÑÑм ÑазÑеÑено взаимодейÑÑвоваÑÑ Ñ <computeroutput>httpd_t</computeroutput>, не ÑазÑеÑено взаимодейÑÑвоваÑÑ Ñ <computeroutput>initrc_t</computeroutput>, возможно Ñакие ÑиÑÑаÑии пÑиводÑÑ Ðº дополниÑелÑнÑм пÑоблемам."
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> Booleans were removed from Fedora 7, even though there was no replacement. Permissive domains solve the above issues: transition rules apply, and files are created with the correct labels."
+msgstr "ÐÑÐ»ÐµÐ²Ñ Ð·Ð½Ð°ÑÐµÐ½Ð¸Ñ <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> бÑли ÑÐ´Ð°Ð»ÐµÐ½Ñ Ð¸Ð· Fedora 7, и Ð´Ð»Ñ Ð½Ð¸Ñ
не подÑазÑмеваеÑÑÑ Ð½Ð¸ÐºÐ°ÐºÐ¾Ð¹ заменÑ. РазÑеÑаÑÑие Ð´Ð¾Ð¼ÐµÐ½Ñ ÑеÑаÑÑ Ð¿Ð¾Ð´Ð¾Ð±Ð½Ñе ÑиÑÑаÑии: пÑавила пеÑеÑ
одов пÑименÑÑÑÑÑ Ð¸ ÑÐ°Ð¹Ð»Ñ ÑоздаÑÑÑÑ Ñ ÐºÐ¾ÑÑекÑнÑми меÑками."
+
+#. Tag: para
+#, no-c-format
+msgid "Permissive domains can be used for:"
+msgstr "РазÑеÑаÑÑие Ð´Ð¾Ð¼ÐµÐ½Ñ Ð¼Ð¾Ð³ÑÑ Ð±ÑÑÑ Ð¸ÑполÑÐ·Ð¾Ð²Ð°Ð½Ñ Ð´Ð»Ñ:"
+
+#. Tag: para
+#, no-c-format
+msgid "making a single process (domain) run permissive to troubleshoot an issue, rather than putting the entire system at risk by making the entire system permissive."
+msgstr "ÐеÑевеÑÑи ÑабоÑÑ Ð¾Ð¿Ñеделенного пÑоÑеÑÑа (домена) в ÑазÑеÑаÑÑий Ñежим Ð´Ð»Ñ Ð°Ð½Ð°Ð»Ð¸Ð·Ð° и вÑÑÐ²Ð»ÐµÐ½Ð¸Ñ Ð¿Ñоблем, вмеÑÑо подвеÑÐ¶ÐµÐ½Ð¸Ñ ÑиÑÐºÑ Ñелой ÑиÑÑемÑ, заÑÑÐµÑ Ð¿ÐµÑевода ÑиÑÑÐµÐ¼Ñ Ð² ÑазÑеÑаÑÑий Ñежим."
+
+#. Tag: para
+#, no-c-format
+msgid "creating policies for new applications. Previously, it was recommended that a minimal policy be created, and then the entire machine put into permissive mode, so that the application could run, but SELinux denials still logged. <command>audit2allow</command> could then be used to help write the policy. This put the whole system at risk. With permissive domains, only the domain in the new policy can be marked permissive, without putting the whole system at risk."
+msgstr "ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¿Ð¾Ð»Ð¸Ñик Ð´Ð»Ñ Ð½Ð¾Ð²Ð¾Ð³Ð¾ пÑиложениÑ. РанÑÑе, ÑекомендовалоÑÑ, ÑоздаваÑÑ Ð¼Ð¸Ð½Ð¸Ð¼Ð°Ð»ÑнÑÑ Ð¿Ð¾Ð»Ð¸ÑикÑ, и заÑем вÑÑ Ð¼Ð°Ñина пеÑемеÑалаÑÑ Ð² ÑазÑеÑаÑÑий Ñежим, Ñак, ÑÑÐ¾Ð±Ñ Ð¿ÑÐ¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ Ð¼Ð¾Ð³Ð»Ð¾ вÑполниÑÑÑÑ, но блокиÑовки SELinux вÑÑ Ñавно логиÑовалиÑÑ. ÐалÑÑе команда <command>audit2allow</command> могла бÑÑÑ Ð¸ÑполÑзована Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¿Ð¾Ð»Ð¸Ñики. ÐÑо Ð´ÐµÐ»Ð°ÐµÑ Ð²ÑÑ ÑиÑÑÐµÐ¼Ñ ÑÑзвимой. С иÑполÑзованием ÑазÑеÑаÑÑиÑ
доменов, ÑолÑко домен в новой полиÑике помеÑаеÑÑÑ ÐºÐ°Ðº ÑазÑеÑаÑÑий, без ÑиÑка ÑÑзвимоÑÑи вÑей ÑиÑÑемÑ."
+
+#. Tag: title
+#, no-c-format
+msgid "Making a Domain Permissive"
+msgstr "ÐодгоÑовка ÑазÑеÑаÑÑего домена"
+
+#. Tag: para
+#, no-c-format
+msgid "To make a domain permissive, run the <command>semanage permissive -a <replaceable>domain</replaceable></command> command, where <replaceable>domain</replaceable> is the domain you want to make permissive. For example, run the following command as the Linux root user to make the <computeroutput>httpd_t</computeroutput> domain (the domain the Apache HTTP Server runs in) permissive:"
+msgstr "ÐÐ»Ñ Ñого ÑÑÐ¾Ð±Ñ ÑделаÑÑ Ð´Ð¾Ð¼ÐµÐ½ ÑазÑеÑаÑÑим, необÑ
одимо вÑполниÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage permissive -a <replaceable>domain</replaceable></command>, где <replaceable>domain</replaceable> - ÑÑо домен, коÑоÑÑй нÑжно ÑделаÑÑ ÑазÑеÑаÑÑим. ÐапÑимеÑ, вÑполнение ÑледÑÑÑей ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root, ÑÐ´ÐµÐ»Ð°ÐµÑ Ð´Ð¾Ð¼ÐµÐ½ <computeroutput>httpd_t</computeroutput> (домен, в коÑоÑом запÑÑкаеÑÑÑ Apache HTTP Server) ÑазÑеÑаÑÑим:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
+msgstr "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "To view a list of domains you have made permissive, run the <command>semodule -l | grep permissive</command> command as the Linux root user. For example:"
+msgstr "ÐÐ»Ñ Ð¿ÑоÑмоÑÑа доменов, ÑабоÑаÑÑиÑ
в ÑазÑеÑаÑÑем Ñежиме, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semodule -l | grep permissive</command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root. ÐапÑимеÑ:"
+
+#. Tag: para
+#, no-c-format
+msgid "If you no longer want a domain to be permissive, run the <command>semanage permissive -d <replaceable>domain</replaceable></command> command as the Linux root user. For example:"
+msgstr "ÐÑли вам болÑÑе не ÑÑебÑеÑÑÑ ÑÑÑеÑÑвование ÑазÑеÑаÑÑего домена, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage permissive -d <replaceable>domain</replaceable></command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root. ÐапÑимеÑ:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
+msgstr "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
+
+#. Tag: title
+#, no-c-format
+msgid "Denials for Permissive Domains"
+msgstr "ÐлокиÑовки Ð´Ð»Ñ Ð Ð°Ð·ÑеÑаÑÑиÑ
доменов"
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput>SYSCALL</computeroutput> message is different for permissive domains. The following is an example AVC denial (and the associated system call) from the Apache HTTP Server:"
+msgstr "СообÑение <computeroutput>SYSCALL</computeroutput> оÑлиÑаеÑÑÑ Ð´Ð»Ñ ÑазÑеÑаÑÑиÑ
доменов. Ðиже показан пÑÐ¸Ð¼ÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки AVC (и ÑооÑвеÑÑÑвÑÑÑего ÑиÑÑемного вÑзова) Ð¾Ñ Apache HTTP Server:"
+
+#. Tag: para
+#, no-c-format
+msgid "By default, the <computeroutput>httpd_t</computeroutput> domain is not permissive, and as such, the action is denied, and the <computeroutput>SYSCALL</computeroutput> message contains <computeroutput>success=no</computeroutput>. The following is an example AVC denial for the same situation, except the <command>semanage permissive -a httpd_t</command> command has been run to make the <computeroutput>httpd_t</computeroutput> domain permissive:"
+msgstr "Ðо ÑмолÑаниÑ, домен <computeroutput>httpd_t</computeroutput> не ÑазÑеÑаÑÑий и, как ÑледÑÑвие, дейÑÑвие блокиÑÑеÑÑÑ Ð¸ ÑообÑение <computeroutput>SYSCALL</computeroutput> ÑодеÑÐ¶Ð¸Ñ <computeroutput>success=no</computeroutput>. Ðиже показан пÑÐ¸Ð¼ÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки AVC Ð´Ð»Ñ Ñакой же ÑиÑÑаÑии, за иÑклÑÑением вÑполненной ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>semanage permissive -a httpd_t</command> Ð´Ð»Ñ Ð·Ð°Ð¿ÑÑка домена <computeroutput>httpd_t</computeroutput> в ÑазÑеÑаÑÑем Ñежиме:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this case, although an AVC denial was logged, access was not denied, as shown by <computeroutput>success=yes</computeroutput> in the <computeroutput>SYSCALL</computeroutput> message."
+msgstr "Ð ÑÑом ÑлÑÑае, неÑмоÑÑÑ Ð½Ð° Ñо, ÑÑо блокиÑовка AVC запиÑана, доÑÑÑп не блокиÑован, как показано в ÑообÑении <computeroutput>SYSCALL</computeroutput> <computeroutput>success=yes</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24537.html\">\"Permissive Domains\"</ulink> blog entry for further information about permissive domains."
+msgstr "ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð² блоге Dan Walsh <ulink url=\"http://danwalsh.livejournal.com/24537.html\">\"Permissive Domains\"</ulink> о ÑазÑеÑаÑÑиÑ
доменаÑ
."
+
+#. Tag: title
+#, no-c-format
+msgid "Searching For and Viewing Denials"
+msgstr "ÐоиÑк и пÑоÑмоÑÑ Ð±Ð»Ð¾ÐºÐ¸Ñовок"
+
+#. Tag: para
+#, no-c-format
+msgid "This section assumes the <package>setroubleshoot</package>, <package>setroubleshoot-server</package>, <package>dbus</package> and <package>audit</package> packages are installed, and that the <systemitem class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</systemitem>, and <systemitem class=\"daemon\">setroubleshootd</systemitem> daemons are running. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used\" /> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <command>ausearch</command>, <command>aureport</command>, and <command>sealert</command>."
+msgstr "Ð ÑÑом Ñазделе пÑедполагаеÑÑÑ, ÑÑо пакеÑÑ <package>setroubleshoot</package>, <package>setroubleshoot-server</package>, <package>dbus</package> и <package>audit</package> ÑÑÑановленÑ, и Ð´ÐµÐ¼Ð¾Ð½Ñ <systemitem class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</systemitem> и <systemitem class=\"daemon\">setroubleshootd</systemitem> запÑÑенÑ. Ð ÑооÑвеÑÑÑвии Ñ Ñазделом <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used\" /> об инÑоÑмаÑии о запÑÑке ÑÑиÑ
демонов. ЧаÑÑÑ ÑÑиÑ
ÑÑÐ¸Ð»Ð¸Ñ Ð¸ÑполÑзÑеÑÑÑ Ð´Ð»Ñ Ð¿Ð¾Ð¸Ñка и пÑоÑмоÑÑа блокиÑовок SELinux, Ñакие как <command>ausearch</command>, <command>aureport</command> и <command>sealert</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "ausearch"
+msgstr "ausearch"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>audit</package> package provides <command>ausearch</command>. From the"
+msgstr "ÐÐ°ÐºÐµÑ <package>audit</package> пÑедоÑÑавлÑÐµÑ <command>ausearch</command>. Ðз"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>ausearch</command> is a tool that can query the audit daemon logs based for events based on different search criteria\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora &PRODVER;. </para> </footnote>. The <command>ausearch</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user:"
+msgstr "ÑÑÑаниÑÑ ÑÑководÑÑва : \"<command>ausearch</command> - ÑÑо инÑÑÑÑÐ¼ÐµÐ½Ñ ÐºÐ¾ÑоÑÑй запÑаÑÐ¸Ð²Ð°ÐµÑ Ð»Ð¾Ð³Ð¸ демона аÑдиÑа, поÑÑÑоеннÑÑ
на ÑобÑÑиÑÑ
, оÑнованнÑÑ
на ÑазлиÑнÑÑ
кÑиÑеÑиÑÑ
поиÑка\"<footnote> <para> Ðз <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> ÑÑÑаниÑÑ ÑÑководÑÑва, поÑÑавлÑемой Ñ Ð¿Ð°ÐºÐµÑом <package>audit</package> в Fedora &PRODVER;. </para> </footnote>. ÐнÑÑÑÑÐ¼ÐµÐ½Ñ <command>ausearch</command> запÑаÑÐ¸Ð²Ð°ÐµÑ <filename>/var/log/audit/audit.log</filename> и, как ÑледÑÑвие, должен бÑÑÑ Ð·Ð°Ð¿ÑÑен Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root:"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Searching For"
+msgstr "ÐоиÑк"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Command"
+msgstr "Ðоманда"
+
+#. Tag: seg
+#, no-c-format
+msgid "all denials"
+msgstr "вÑе блокиÑовки"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc</command>"
+msgstr "<command>/sbin/ausearch -m avc</command>"
+
+#. Tag: seg
+#, no-c-format
+msgid "denials for that today"
+msgstr "блокиÑовки за ÑегоднÑÑний денÑ"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -ts today</command>"
+msgstr "<command>/sbin/ausearch -m avc -ts today</command>"
+
+#. Tag: seg
+#, no-c-format
+msgid "denials from the last 10 minutes"
+msgstr "блокиÑовки за поÑледние 10 минÑÑ"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -ts recent</command>"
+msgstr "<command>/sbin/ausearch -m avc -ts recent</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "To search for SELinux denials for a particular service, use the <option>-c <replaceable>comm-name</replaceable></option> option, where <replaceable>comm-name</replaceable> \"is the executableâs name\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora &PRODVER;. </para> </footnote>, for example, <systemitem class=\"daemon\">httpd</systemitem> for the Apache HTTP Server, and <systemitem class=\"daemon\">smbd</systemitem> for Samba:"
+msgstr "ÐÐ»Ñ Ð¿Ð¾Ð¸Ñка блокиÑовок SELinux Ð´Ð»Ñ Ð¾Ð¿Ñеделенной ÑлÑжбÑ, иÑполÑзÑеÑÑÑ Ð¾Ð¿ÑÐ¸Ñ <option>-c <replaceable>comm-name</replaceable></option>, где <replaceable>comm-name</replaceable> \"иÑполнÑемое Ð¸Ð¼Ñ Ñайла\"<footnote> <para> из ÑÑÑаниÑÑ ÑÑководÑÑва <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry>, поÑÑавлÑемой Ñ Ð¿Ð°ÐºÐµÑом <package>audit</package> в Fedora &PRODVER;. </para> </footnote>, напÑимеÑ, <systemitem class=\"daemon\">httpd</systemitem> Ð´Ð»Ñ Apache HTTP Server и <systemitem class=\"daemon\">smbd</systemitem> Ð´Ð»Ñ Samba:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -c httpd</command>"
+msgstr "<command>/sbin/ausearch -m avc -c httpd</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -c smbd</command>"
+msgstr "<command>/sbin/ausearch -m avc -c smbd</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the"
+msgstr "Ð ÑооÑвеÑÑÑвии Ñо"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>ausearch</command> options."
+msgstr "ÑÑÑаниÑей ÑÑководÑÑва <command>ausearch</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "aureport"
+msgstr "aureport"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>audit</package> package provides <command>aureport</command>. From the"
+msgstr "ÐÐ°ÐºÐµÑ <package>audit</package> пÑедоÑÑавлÑÐµÑ <command>aureport</command>. Ðз"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>aureport</command> is a tool that produces summary reports of the audit system logs\"<footnote> <para> From the <citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora &PRODVER;. </para> </footnote>. The <command>aureport</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <command>aureport -a</command> command. The following is example output that includes two denials:"
+msgstr "ÑÑÑаниÑÑ ÑÑководÑÑва : \"<command>aureport</command> - ÑÑо ÑÑилиÑа, ÑоÑмиÑÑÑÑÐ°Ñ Ð¾ÑÑеÑÑ ÑиÑÑемнÑÑ
жÑÑналов аÑдиÑа\"<footnote> <para> Ðз ÑÑÑаниÑÑ ÑÑководÑÑва <citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum></citerefentry>, поÑÑавлÑемой Ñ Ð¿Ð°ÐºÐµÑом <package>audit</package> в Fedora &PRODVER;. </para> </footnote>. УÑилиÑа <command>aureport</command> запÑаÑÐ¸Ð²Ð°ÐµÑ <filename>/var/log/audit/audit.log</filename>, а Ñакже Ð´Ð¾Ð»Ð¶Ð½Ñ Ð±ÑÑÑ Ð·Ð°Ð¿ÑÑена Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root. ÐÐ»Ñ Ð¿ÑоÑмоÑÑа ÑпиÑка блокиÑовок SELinux, а Ñакже как ÑаÑÑо ÐºÐ°Ð¶Ð´Ð°Ñ Ð¸Ð· ниÑ
возникаеÑ, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>aureport -a</command>. Ð ÑледÑÑÑем пÑимеÑе, показан вÑвод Ñ Ð´Ð²ÑÐ¼Ñ Ð±Ð»Ð¾ÐºÐ¸ÑовкамÐ
¸:"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>aureport</command> options."
+msgstr "ÑÑÑаниÑа ÑÑководÑÑва <command>aureport</command> Ñ Ð´Ð¾Ð¿Ð¾Ð»Ð½Ð¸ÑелÑнÑми опÑиÑми."
+
+#. Tag: title
+#, no-c-format
+msgid "sealert"
+msgstr "sealert"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>setroubleshoot-server</package> package provides <command>sealert</command>, which reads denial messages translated by <package>setroubleshoot-server</package>. Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. The following is an example denial from <filename>messages</filename>:"
+msgstr "ÐÐ°ÐºÐµÑ <package>setroubleshoot-server</package> пÑедоÑÑавлÑÐµÑ <command>sealert</command>, коÑоÑÐ°Ñ ÑиÑÐ°ÐµÑ ÑообÑÐµÐ½Ð¸Ñ Ð¾ блокиÑовкаÑ
, ÑÑанÑлиÑованнÑе <package>setroubleshoot-server</package>. ÐлокиÑовкам назнаÑаÑÑÑÑ ID, как показано в <filename>/var/log/messages</filename>. Ðиже показан пÑÐ¸Ð¼ÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки из <filename>messages</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, the denial ID is <computeroutput>84e0b04d-d0ad-4347-8317-22e74f6cd020</computeroutput>. The <option>-l</option> option takes an ID as an argument. Running the <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access."
+msgstr "Ð ÑÑом пÑимеÑе, ID блокиÑовки <computeroutput>84e0b04d-d0ad-4347-8317-22e74f6cd020</computeroutput>. ÐпÑÐ¸Ñ <option>-l</option> беÑÐµÑ ID в каÑеÑÑве аÑгÑменÑа. ÐапÑÑк ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> Ð¿Ð¾ÐºÐ°Ð¶ÐµÑ Ð´ÐµÑалÑнÑй анализ пÑиÑинÑ, поÑÐµÐ¼Ñ SELinux блокиÑовал доÑÑÑп и возможное ÑеÑение пÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑпа."
+
+#. Tag: para
+#, no-c-format
+msgid "If you are running the X Window System, have the <package>setroubleshoot</package> and <package>setroubleshoot-server</package> packages installed, and the <systemitem class=\"daemon\">setroubleshootd</systemitem>, <systemitem class=\"daemon\">dbus</systemitem> and <systemitem class=\"daemon\">auditd</systemitem> daemons are running, a warning is displayed when access is denied by SELinux. Clicking on 'Show' launches the <command>sealert</command> GUI, and displays denials in HTML output:"
+msgstr "ÐÑли запÑÑена X Window System, и ÑÑÑÐ°Ð½Ð¾Ð²Ð»ÐµÐ½Ñ Ð¿Ð°ÐºÐµÑÑ <package>setroubleshoot</package> и <package>setroubleshoot-server</package>, а Ñакже Ð´ÐµÐ¼Ð¾Ð½Ñ <systemitem class=\"daemon\">setroubleshootd</systemitem>, <systemitem class=\"daemon\">dbus</systemitem> и <systemitem class=\"daemon\">auditd</systemitem> запÑÑенÑ, Ñо пÑи блокиÑовке доÑÑÑпа SELinux бÑÐ´ÐµÑ Ð¿Ð¾ÐºÐ°Ð·Ð°Ð½Ð¾ пÑедÑпÑеждение. ÐажмиÑе 'Show', ÑÑо запÑÑÑÐ¸Ñ GUI <command>sealert</command> и Ð¿Ð¾ÐºÐ°Ð¶ÐµÑ Ð±Ð»Ð¾ÐºÐ¸ÑÐ¾Ð²ÐºÑ Ð² HTML ÑоÑмаÑе:"
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>sealert -b</command> command to launch the <command>sealert</command> GUI."
+msgstr "ÐÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sealert -b</command> Ð´Ð»Ñ Ð·Ð°Ð¿ÑÑка GUI <command>sealert</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>sealert -l \\*</command> command to view a detailed analysis of all denials."
+msgstr "ÐÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sealert -l \\*</command> Ð´Ð»Ñ Ð¿ÑоÑмоÑÑа деÑалÑного анализа вÑеÑ
блокиÑовок."
+
+#. Tag: para
+#, no-c-format
+msgid "As the Linux root user, run the <command>sealert -a /var/log/audit/audit.log -H > audit.html</command> command to create a HTML version of the <command>sealert</command> analysis, as seen with the <command>sealert</command> GUI."
+msgstr "ÐÑ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sealert -a /var/log/audit/audit.log -H > audit.html</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ HTML веÑÑии анализа <command>sealert</command>, как показано в GUI <command>sealert</command>."
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>sealert</command> options."
+msgstr "ÑÑÑаниÑа ÑÑководÑÑва <command>sealert</command> Ñ Ð´Ð¾Ð¿Ð¾Ð»Ð½Ð¸ÑелÑнÑми опÑиÑми."
+
+#. Tag: title
+#, no-c-format
+msgid "Raw Audit Messages"
+msgstr "ÐеобÑабоÑаннÑе ÑообÑÐµÐ½Ð¸Ñ Ð°ÑдиÑа"
+
+#. Tag: para
+#, no-c-format
+msgid "Raw audit messages are logged to <filename>/var/log/audit/audit.log</filename>. The following is an example AVC denial (and the associated system call) that occurred when the Apache HTTP Server (running in the <computeroutput>httpd_t</computeroutput> domain) attempted to access the <filename>/var/www/html/file1</filename> file (labeled with the <computeroutput>samba_share_t</computeroutput> type):"
+msgstr "ÐеобÑабоÑаннÑе ÑообÑÐµÐ½Ð¸Ñ Ð°ÑдиÑа запиÑÑваÑÑÑÑ Ð² <filename>/var/log/audit/audit.log</filename>. Ðиже показан пÑÐ¸Ð¼ÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки AVC (и ÑвÑзаннÑй Ñ ÑÑим ÑиÑÑемнÑй вÑзов), коÑоÑÑе поÑвлÑÑÑÑÑ, когда Apache HTTP Server (запÑÑеннÑй в домене <computeroutput>httpd_t</computeroutput>) запÑаÑÐ¸Ð²Ð°ÐµÑ Ð´Ð¾ÑÑÑп к ÑÐ°Ð¹Ð»Ñ <filename>/var/www/html/file1</filename> (маÑкиÑованнÑй Ñипом <computeroutput>samba_share_t</computeroutput>):"
+
+#. Tag: term
+#, no-c-format
+msgid "<replaceable>{ getattr }</replaceable>"
+msgstr "<replaceable>{ getattr }</replaceable>"
+
+#. Tag: para
+#, no-c-format
+msgid "The item in braces indicates the permission that was denied. <computeroutput>getattr</computeroutput> indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include <computeroutput>getattr</computeroutput>, <computeroutput>read</computeroutput>, and <computeroutput>write</computeroutput>."
+msgstr "ÐÐ»ÐµÐ¼ÐµÐ½Ñ Ð² ÑкобкаÑ
показÑÐ²Ð°ÐµÑ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, ÑÑо доÑÑÑп бÑл блокиÑован. <computeroutput>getattr</computeroutput> показÑÐ²Ð°ÐµÑ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ Ñом, ÑÑо пÑоÑеÑÑ-иÑÑоÑник пÑÑалÑÑ Ð¿ÑоÑеÑÑÑ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾ ÑÑаÑÑÑе Ñайла. ÐÑо пÑоиÑÑ
Ð¾Ð´Ð¸Ñ Ð¿ÐµÑед ÑÑением Ñайла. ÐÑо дейÑÑвие бÑло блокиÑовано, Ñак как Ñайл, к коÑоÑÐ¾Ð¼Ñ Ð·Ð°Ð¿ÑаÑивалÑÑ Ð´Ð¾ÑÑÑп, бÑл пÑомаÑкиÑован непÑавилÑной меÑкой. ÐбÑÑно ÑазÑеÑÐµÐ½Ð¸Ñ Ð½Ð° пÑоÑмоÑÑ Ð²ÐºÐ»ÑÑаÑÑ: <computeroutput>getattr</computeroutput>, <computeroutput>read</computeroutput> и <computeroutput>write</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "comm=\"<replaceable>httpd</replaceable>\""
+msgstr "comm=\"<replaceable>httpd</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The executable that launched the process. The full path of the executable is found in the <computeroutput>exe=</computeroutput> section of the system call (<computeroutput>SYSCALL</computeroutput>) message, which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+msgstr "ÐÑполнÑемÑй Ñайл, коÑоÑÑй запÑÑÐºÐ°ÐµÑ Ð¿ÑоÑеÑÑ. ÐолнÑй пÑÑÑ Ðº иÑполнÑÐµÐ¼Ð¾Ð¼Ñ ÑÐ°Ð¹Ð»Ñ Ð½Ð°Ñ
одиÑÑÑ Ð² Ñазделе <computeroutput>exe=</computeroutput> ÑообÑÐµÐ½Ð¸Ñ ÑиÑÑемного вÑзова (<computeroutput>SYSCALL</computeroutput>), коÑоÑÑй в ÑÑом ÑлÑÑае <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "path=\"<replaceable>/var/www/html/file1</replaceable>\""
+msgstr "path=\"<replaceable>/var/www/html/file1</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The path to the object (target) the process attempted to access."
+msgstr "ÐÑÑÑ Ðº обÑекÑÑ (target) пÑоÑеÑÑ Ð·Ð°Ð¿ÑаÑиваÑÑий доÑÑÑп."
+
+#. Tag: term
+#, no-c-format
+msgid "scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
+msgstr "scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the <computeroutput>httpd_t</computeroutput> domain."
+msgstr "конÑекÑÑ SELinux пÑоÑеÑÑа, коÑоÑÑй вÑполнÑÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñованное дейÑÑвие. Рданном ÑлÑÑае, ÑÑо конÑекÑÑ SELinux пÑоÑеÑÑа Apache HTTP Server, запÑÑеннÑй в домене <computeroutput>httpd_t</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "tcontext=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>\""
+msgstr "context=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of <filename>file1</filename>. Note: the <computeroutput>samba_share_t</computeroutput> type is not accessible to processes running in the <computeroutput>httpd_t</computeroutput> domain."
+msgstr "ÐонÑекÑÑ SELinux обÑекÑа (Ñели, target) пÑоÑеÑÑа, запÑаÑиваÑÑего доÑÑÑп. Рданном ÑлÑÑае - ÑÑо конÑекÑÑ SELinux Ñайла <filename>file1</filename>. ÐÑимеÑание: Ñип <computeroutput>samba_share_t</computeroutput> не доÑÑÑпен пÑоÑеÑÑам, запÑÑеннÑм в <computeroutput>httpd_t</computeroutput> домене."
+
+#. Tag: para
+#, no-c-format
+msgid "In certain situations, the <computeroutput>tcontext</computeroutput> may match the <computeroutput>scontext</computeroutput>, for example, when a process attempts to execute a system service that will change characteristics of that running process, such as the user ID. Also, the <computeroutput>tcontext</computeroutput> may match the <computeroutput>scontext</computeroutput> when a process tries to use more resources (such as memory) than normal limits allow, resulting in a security check to see if that process is allowed to break those limits."
+msgstr "РопÑеделеннÑÑ
ÑиÑÑаÑиÑÑ
, <computeroutput>tcontext</computeroutput> Ð¼Ð¾Ð¶ÐµÑ ÑовпадаÑÑ Ñ <computeroutput>scontext</computeroutput>, напÑимеÑ, еÑли пÑоÑеÑÑ Ð¿ÑÑаеÑÑÑ Ð²ÑполниÑÑ ÑиÑÑемнÑÑ ÑлÑжбÑ, коÑоÑÐ°Ñ Ð¸Ð·Ð¼ÐµÐ½ÑÐµÑ Ñ
аÑакÑеÑиÑÑики ÑÑого, запÑÑенного пÑоÑеÑÑа, Ñакого как ID полÑзоваÑелÑ. Также <computeroutput>tcontext</computeroutput> Ð¼Ð¾Ð¶ÐµÑ ÑовпадаÑÑ Ñ <computeroutput>scontext</computeroutput>, когда пÑоÑеÑÑ Ð¿ÑÑаеÑÑÑ Ð¸ÑполÑзоваÑÑ Ð±Ð¾Ð»ÑÑе ÑеÑÑÑÑов (напÑимеÑ, памÑÑи) Ñем позволÑÐµÑ Ð»Ð¸Ð¼Ð¸Ñ, ÑÑо пÑÐ¸Ð²Ð¾Ð´Ð¸Ñ Ðº пÑовеÑке безопаÑноÑÑи, Ð¼Ð¾Ð¶ÐµÑ Ð»Ð¸ Ñакой пÑоÑеÑÑ Ð¿ÑеодолеÑÑ Ð´Ð°Ð½Ð½Ð¾Ðµ огÑаниÑение."
+
+#. Tag: para
+#, no-c-format
+msgid "From the system call (<computeroutput>SYSCALL</computeroutput>) message, two items are of interest:"
+msgstr "Ðз ÑообÑÐµÐ½Ð¸Ñ ÑиÑÑемного вÑзова (<computeroutput>SYSCALL</computeroutput>), инÑеÑеÑÐ½Ñ Ð´Ð²Ð° пÑнкÑа:"
+
+#. Tag: para
+#, no-c-format
+msgid "<computeroutput>success=<replaceable>no</replaceable></computeroutput>: indicates whether the denial (AVC) was enforced or not. <computeroutput>success=no</computeroutput> indicates the system call was not successful (SELinux denied access). <computeroutput>success=yes</computeroutput> indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as <computeroutput>initrc_t</computeroutput> and <computeroutput>kernel_t</computeroutput>."
+msgstr "<computeroutput>success=<replaceable>no</replaceable></computeroutput>: показÑÐ²Ð°ÐµÑ Ð±Ñла ли блокиÑовка (AVC) пÑинÑдиÑелÑна или неÑ. <computeroutput>success=no</computeroutput> показÑваеÑ, ÑÑо ÑиÑÑемнÑй вÑзов не бÑл вÑполнен ÑÑпеÑно (SELinux блокиÑовал доÑÑÑп). <computeroutput>success=yes</computeroutput> показÑваеÑ, ÑÑо ÑиÑÑемнÑй вÑзов бÑл вÑполнен ÑÑпеÑно - Ñакое ÑобÑÑие можно ÑвидеÑÑ Ð´Ð»Ñ ÑазÑеÑаÑÑиÑ
доменов или неогÑаниÑеннÑÑ
доменов, ÑакиÑ
как <computeroutput>initrc_t</computeroutput> и <computeroutput>kernel_t</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</computeroutput>: the full path to the executable that launched the process, which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+msgstr "<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</computeroutput>: полнÑй пÑÑÑ Ðº иÑполнÑÐµÐ¼Ð¾Ð¼Ñ ÑайлÑ, коÑоÑÑй запÑÑÐºÐ°ÐµÑ Ð¿ÑоÑеÑÑ, коÑоÑÑй в данном ÑлÑÑае <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "An incorrect file type is a common cause for SELinux denying access. To start troubleshooting, compare the source context (<computeroutput>scontext</computeroutput>) with the target context (<computeroutput>tcontext</computeroutput>). Should the process (<computeroutput>scontext</computeroutput>) be accessing such an object (<computeroutput>tcontext</computeroutput>)? For example, the Apache HTTP Server (<computeroutput>httpd_t</computeroutput>) should only be accessing types specified in the"
+msgstr "ÐекоÑÑекÑнÑй Ñип Ñайла - ÑÑо оÑÐ½Ð¾Ð²Ð½Ð°Ñ Ð¿ÑиÑина, Ð´Ð»Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовок доÑÑÑпа SELinux. ÐÐ»Ñ Ð½Ð°Ñала анализа и ÑÑÑÑÐ°Ð½ÐµÐ½Ð¸Ñ Ð¿Ñоблем, ÑÑавниÑе иÑÑ
однÑÑ
конÑекÑÑ (<computeroutput>scontext</computeroutput>) Ñ ÑелевÑм конÑекÑÑом (<computeroutput>tcontext</computeroutput>). Ðолжен ли пÑоÑеÑÑ (<computeroutput>scontext</computeroutput>) полÑÑаÑÑ Ð´Ð¾ÑÑÑп к обÑекÑÑ (<computeroutput>tcontext</computeroutput>)? ÐапÑимеÑ, Apache HTTP Server (<computeroutput>httpd_t</computeroutput>) должен полÑÑаÑÑ Ð´Ð¾ÑÑÑп ÑолÑко к Ñайлам ÑказаннÑм в"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page, such as <computeroutput>httpd_sys_content_t</computeroutput>, <computeroutput>public_content_t</computeroutput>, and so on, unless configured otherwise."
+msgstr "ÑÑÑаниÑе ÑÑководÑÑва, Ñаким как <computeroutput>httpd_sys_content_t</computeroutput>, <computeroutput>public_content_t</computeroutput> и Ñак далее, еÑли не ÑконÑигÑÑиÑовано иное."
+
+#. Tag: title
+#, no-c-format
+msgid "sealert Messages"
+msgstr "СообÑÐµÐ½Ð¸Ñ sealert"
+
+#. Tag: para
+#, no-c-format
+msgid "Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. The following is an example AVC denial (logged to <filename>messages</filename>) that occurred when the Apache HTTP Server (running in the <computeroutput>httpd_t</computeroutput> domain) attempted to access the <filename>/var/www/html/file1</filename> file (labeled with the <computeroutput>samba_share_t</computeroutput> type):"
+msgstr "ÐлокиÑовкам пÑиÑваиваÑÑÑÑ ID, как видно в <filename>/var/log/messages</filename>. Ðиже показан пÑÐ¸Ð¼ÐµÑ Ð±Ð»Ð¾ÐºÐ¸Ñовки AVC (жÑÑналиÑованной в <filename>messages</filename>), коÑоÑÐ°Ñ Ð²Ð¾Ð·Ð½Ð¸ÐºÐ°ÐµÑ ÐºÐ¾Ð³Ð´Ð° Apache HTTP Server (запÑÑеннÑй в домене <computeroutput>httpd_t</computeroutput>) пÑÑаеÑÑÑ Ð¿Ð¾Ð»ÑÑиÑÑ Ð´Ð¾ÑÑÑп к ÑÐ°Ð¹Ð»Ñ <filename>/var/www/html/file1</filename> (маÑкиÑованнÑй Ñипом <computeroutput>samba_share_t</computeroutput>):"
+
+#. Tag: para
+#, no-c-format
+msgid "As suggested, run the <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> command to view the complete message. This command only works on the local machine, and presents the same information as the <command>sealert</command> GUI:"
+msgstr "ÐодÑазÑмеваеÑÑÑ, ÑÑо вÑполнение ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> Ð¿Ð¾ÐºÐ°Ð¶ÐµÑ ÑообÑение Ñеликом. ÐÑа команда ÑабоÑÐ°ÐµÑ ÑолÑко на локалÑной маÑине и показÑÐ²Ð°ÐµÑ Ð°Ð½Ð°Ð»Ð¾Ð³Ð¸ÑнÑÑ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ñ <command>sealert</command> GUI:"
+
+#. Tag: term
+#, no-c-format
+msgid "Summary"
+msgstr "ÐÑаÑÐºÐ°Ñ Ñводка"
+
+#. Tag: para
+#, no-c-format
+msgid "A brief summary of the denied action. This is the same as the denial in <filename>/var/log/messages</filename>. In this example, the <systemitem class=\"daemon\">httpd</systemitem> process was denied access to a file (<filename>file1</filename>), which is labeled with the <computeroutput>samba_share_t</computeroutput> type."
+msgstr "ÐÑаÑÐºÐ°Ñ Ñводка дейÑÑÐ²Ð¸Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовки. ÐÑо Ñа же ÑÐ°Ð¼Ð°Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовка, ÑÑо и в <filename>/var/log/messages</filename>. Ð ÑÑом пÑимеÑе пÑоÑеÑÑ <systemitem class=\"daemon\">httpd</systemitem> блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп к ÑÐ°Ð¹Ð»Ñ (<filename>file1</filename>), коÑоÑÑй помеÑен Ñипом <computeroutput>samba_share_t</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "Detailed Description"
+msgstr "ÐеÑалÑное опиÑание"
+
+#. Tag: para
+#, no-c-format
+msgid "A more verbose description. In this example, <filename>file1</filename> is labeled with the <computeroutput>samba_share_t</computeroutput> type. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired."
+msgstr "Ðолее полное опиÑание. Ð ÑÑом пÑимеÑе <filename>file1</filename> помеÑен Ñипом <computeroutput>samba_share_t</computeroutput>. ÐÑÐ¾Ñ Ñип иÑполÑзÑеÑÑÑ Ð´Ð»Ñ Ñайлов и каÑалогов, коÑоÑÑе необÑ
одимо ÑкÑпоÑÑиÑоваÑÑ ÑеÑез Samba. ÐпиÑание подÑазÑÐ¼ÐµÐ²Ð°ÐµÑ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ðµ Ñипа на Ñип, коÑоÑÑй Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ Ð´Ð¾ÑÑÑпен Ð´Ð»Ñ Apache HTTP Server и Samba, еÑли доÑÑÑп блокиÑÑеÑÑÑ."
+
+#. Tag: term
+#, no-c-format
+msgid "Allowing Access"
+msgstr "ÐÑедоÑÑавление доÑÑÑпа"
+
+#. Tag: para
+#, no-c-format
+msgid "A suggestion for how to allow access. This may be relabeling files, turning a Boolean on, or making a local policy module. In this case, the suggestion is to label the file with a type accessible to both the Apache HTTP Server and Samba."
+msgstr "ÐÑÐµÐ´Ð¿Ð¾Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ ÐºÐ°Ðº можно ÑазÑеÑиÑÑ Ð´Ð¾ÑÑÑп. ÐÑо можно ÑделаÑÑ Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ Ð¿ÐµÑемаÑкиÑовки Ñайлов, вклÑÑÐµÐ½Ð¸Ñ ÐÑлевÑÑ
пеÑеменнÑÑ
или ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð»Ð¾ÐºÐ°Ð»Ñного модÑÐ»Ñ Ð¿Ð¾Ð»Ð¸Ñики. Рданном ÑлÑÑае пÑедполагаеÑÑÑ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ Ñипа Ñайла, на Ñип доÑÑÑпнÑй Apache HTTP Server и Samba."
+
+#. Tag: term
+#, no-c-format
+msgid "Fix Command"
+msgstr "Ðоманда иÑпÑавлениÑ"
+
+#. Tag: para
+#, no-c-format
+msgid "A suggested command to allow access and resolve the denial. In this example, it gives the command to change the <filename>file1</filename> type to <computeroutput>public_content_t</computeroutput>, which is accessible to the Apache HTTP Server and Samba."
+msgstr "ÐÑÐµÐ´Ð¿Ð¾Ð»Ð°Ð³Ð°ÐµÐ¼Ð°Ñ ÐºÐ¾Ð¼Ð°Ð½Ð´Ð° Ð´Ð»Ñ Ð¿ÑедоÑÑÐ°Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð¾ÑÑÑп и ÑазÑеÑÐµÐ½Ð¸Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовки. Рданном пÑимеÑе, даÑÑÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ð°, изменÑÑÑÐ°Ñ Ñип <filename>file1</filename> на <computeroutput>public_content_t</computeroutput>, коÑоÑÑй доÑÑÑпен Apache HTTP Server и Samba."
+
+#. Tag: term
+#, no-c-format
+msgid "Additional Information"
+msgstr "ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑиÑ"
+
+#. Tag: para
+#, no-c-format
+msgid "Information that is useful in bug reports, such as the policy package name and version (<computeroutput>selinux-policy-3.5.13-11.fc12</computeroutput>), but may not help towards solving why the denial occurred."
+msgstr "ÐнÑоÑмаÑÐ¸Ñ Ð¿Ð¾Ð»ÐµÐ·Ð½Ð°Ñ Ð² оÑÑеÑаÑ
об оÑибкаÑ
, ÑакиÑ
как ÑÐ°ÐºÐ°Ñ ÐºÐ°Ðº Ð¸Ð¼Ñ Ð¿Ð°ÐºÐµÑа полиÑики и веÑÑÐ¸Ñ (<computeroutput>selinux-policy-3.5.13-11.fc12</computeroutput>), но не помогаÑÑÐ°Ñ Ð² напÑавлении ÑеÑÐµÐ½Ð¸Ñ Ð¸ ÑÑÑÑÐ°Ð½ÐµÐ½Ð¸Ñ Ð¿ÑиÑин поÑÐ²Ð»ÐµÐ½Ð¸Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовки."
+
+#. Tag: para
+#, no-c-format
+msgid "The raw audit messages from <filename>/var/log/audit/audit.log</filename> that are associated with the denial. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> for information about each item in the AVC denial."
+msgstr "ÐеобÑабоÑаннÑе ÑообÑÐµÐ½Ð¸Ñ Ð°ÑдиÑа из <filename>/var/log/audit/audit.log</filename>, ÑвÑзаннÑе Ñ Ð±Ð»Ð¾ÐºÐ¸Ñовкой. ÐополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> о каждом пÑнкÑе в блокиÑовке AVC."
+
+#. Tag: title
+#, no-c-format
+msgid "Allowing Access: audit2allow"
+msgstr "ÐÑедоÑÑавление доÑÑÑпа: audit2allow"
+
+#. Tag: para
+#, no-c-format
+msgid "Do not use the example in this section in production. It is used only to demonstrate the use of <command>audit2allow</command>."
+msgstr "Ðе иÑполÑзÑйÑе даннÑй пÑÐ¸Ð¼ÐµÑ Ð² пÑодÑкÑивной ÑиÑÑеме. Ðн иÑполÑзÑеÑÑÑ ÑолÑко Ð´Ð»Ñ Ð´ÐµÐ¼Ð¾Ð½ÑÑÑаÑии иÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ <command>audit2allow</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "From the"
+msgstr "Ðз"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "audit2allow"
+msgstr "audit2allow"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>audit2allow</command> - generate SELinux policy allow rules from logs of denied operations\"<footnote> <para> From the <citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page, as shipped with the <package>policycoreutils</package> package in Fedora &PRODVER;. </para> </footnote>. After analyzing denials as per <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, and if no label changes or Booleans allowed access, use <command>audit2allow</command> to create a local policy module. After access is denied by SELinux, running the <command>audit2allow</command> command presents Type Enforcement rules that allow the previously denied access."
+msgstr "ÑÑÑаниÑÑ ÑÑководÑÑва: \"<command>audit2allow</command> - генеÑиÑÑÐµÑ ÑазÑеÑаÑÑие пÑавила полиÑики SELinux из логов (жÑÑналаов) блокиÑованнÑÑ
опеÑаÑий\"<footnote> <para> Ðз ÑÑÑаниÑÑ ÑÑководÑÑва <citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</manvolnum></citerefentry>, поÑÑавлÑемой Ñ Ð¿Ð°ÐºÐµÑом <package>policycoreutils</package> в Fedora &PRODVER;. </para> </footnote>. ÐоÑле анализа блокиÑовок как в <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, и еÑли меÑки не изменÑÑÑÑÑ Ð¸ Ð½ÐµÑ ÐÑлевÑÑ
пеÑеменнÑÑ
, пÑедоÑÑавлÑÑÑиÑ
доÑÑÑп, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>audit2allow</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð»Ð¾ÐºÐ°Ð»Ñного модÑÐ»Ñ Ð¿Ð¾Ð»Ð¸Ñики. ÐоÑле Ñого, как
SELinux блокиÑовал доÑÑÑп, вÑполнение ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>audit2allow</command> Ð¿Ð¾ÐºÐ°Ð¶ÐµÑ Ð¿Ñавила Type Enforcement, коÑоÑÑе ÑазÑеÑÐ°Ñ Ð±Ð»Ð¾ÐºÐ¸ÑованнÑй доÑÑÑп."
+
+#. Tag: para
+#, no-c-format
+msgid "The following example demonstrates using <command>audit2allow</command> to create a policy module:"
+msgstr "Ð ÑледÑÑÑем пÑимеÑе демонÑÑÑиÑÑеÑÑÑ Ð¸ÑполÑзование <command>audit2allow</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¼Ð¾Ð´ÑÐ»Ñ Ð¿Ð¾Ð»Ð¸Ñики:"
+
+#. Tag: para
+#, no-c-format
+msgid "A denial and the associated system call are logged to <filename>/var/log/audit/audit.log</filename>:"
+msgstr "ÐлокиÑовка и ÑооÑвеÑÑÑвÑÑÑий ÑиÑÑемнÑй вÑзов запиÑÐ°Ð½Ñ Ð² <filename>/var/log/audit/audit.log</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, <application>certwatch</application> (<computeroutput>comm=\"certwatch\"</computeroutput>) was denied write access (<computeroutput>{ write }</computeroutput>) to a directory labeled with the <computeroutput>var_t</computeroutput> type (<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). Analyze the denial as per <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />. If no label changes or Booleans allowed access, use <command>audit2allow</command> to create a local policy module."
+msgstr "Ð ÑÑом пÑимеÑе <application>certwatch</application> (<computeroutput>comm=\"certwatch\"</computeroutput>) блокиÑÑÐµÑ Ð´Ð¾ÑÑÑп на запиÑÑ (<computeroutput>{ write }</computeroutput>) в каÑалог помеÑеннÑй Ñипом <computeroutput>var_t</computeroutput> (<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). ÐÑоанализиÑÑйÑе блокиÑÐ¾Ð²ÐºÑ Ð² ÑооÑвеÑÑÑвии Ñ <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />. ÐÑли меÑки не Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ñ Ð¸Ð»Ð¸ Ð½ÐµÑ ÐÑлевÑÑ
пеÑеменнÑÑ
, пÑедоÑÑавлÑÑÑиÑ
доÑÑÑп, иÑполÑзÑйÑе <command>audit2allow</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð»Ð¾ÐºÐ°Ð»Ñной полиÑики."
+
+#. Tag: para
+#, no-c-format
+msgid "With a denial logged, such as the <computeroutput>certwatch</computeroutput> denial in step 1, run the <command>audit2allow -w -a</command> command to produce a human-readable description of why access was denied. The <option>-a</option> option causes all audit logs to be read. The <option>-w</option> option produces the human-readable description. The <command>audit2allow</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user:"
+msgstr "С запиÑаннÑм ÑообÑением о блокиÑовке, Ñаким как <computeroutput>certwatch</computeroutput> в Ñаге 1, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>audit2allow -w -a</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ñдобно-ÑиÑаемого опиÑаниÑ, поÑÐµÐ¼Ñ Ð´Ð¾ÑÑÑп бÑл блокиÑован. ÐпÑÐ¸Ñ <option>-a</option> ÑвлÑеÑÑÑ Ð¾Ñнованием Ð´Ð»Ñ ÑÑÐµÐ½Ð¸Ñ Ð²ÑеÑ
логов. ÐпÑÐ¸Ñ <option>-w</option> ÑÐ¾Ð·Ð´Ð°ÐµÑ Ñдобо-ÑиÑаемое опиÑание. ÐнÑÑÑÑÐ¼ÐµÐ½Ñ <command>audit2allow</command> запÑаÑÐ¸Ð²Ð°ÐµÑ <filename>/var/log/audit/audit.log</filename> и, как ÑледÑÑвие, должен бÑÑÑ Ð·Ð°Ð¿ÑÑен Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root."
+
+#. Tag: para
+#, no-c-format
+msgid "As shown, access was denied due to a missing Type Enforcement rule."
+msgstr "Ðак показано, доÑÑÑп блокиÑован, в ÑооÑвеÑÑÑвии Ñ Ð¾ÑÑÑÑÑÑвием пÑавила Type Enforcement."
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>audit2allow -a</command> command to view the Type Enforcement rule that allows the denied access:"
+msgstr "ÐÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>audit2allow -a</command> Ð´Ð»Ñ Ð¿ÑоÑмоÑÑа пÑавил Type Enforcement. коÑоÑÑе ÑазÑеÑаÑÑ Ð±Ð»Ð¾ÐºÐ¸ÑованнÑй доÑÑÑп:"
+
+#. Tag: para
+#, no-c-format
+msgid "Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>. For Fedora, create bugs against the <computeroutput>Fedora</computeroutput> product, and select the <computeroutput>selinux-policy</computeroutput> component. Include the output of the <command>audit2allow -w -a</command> and <command>audit2allow -a</command> commands in such bug reports."
+msgstr "ÐедоÑÑаÑÑие пÑавила Type Enforcement обÑÑно вÑзвана оÑибками в полиÑике SELinux, и о ниÑ
необÑ
одимо ÑообÑаÑÑ Ð² <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>. ÐÐ»Ñ Fedora, ÑоздайÑе bug напÑоÑив пÑодÑкÑа <computeroutput>Fedora</computeroutput> и вÑбеÑиÑе компоненÑÑ <computeroutput>selinux-policy</computeroutput>. ÐклÑÑиÑе вÑвод команд <command>audit2allow -w -a</command> и <command>audit2allow -a</command> в bug report."
+
+#. Tag: para
+#, no-c-format
+msgid "To use the rule displayed by <command>audit2allow -a</command>, run the <command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command> command as the Linux root user to create custom module. The <option>-M</option> option creates a Type Enforcement file (<filename>.te</filename>) with the name specified with <option>-M</option>, in your current working directory:"
+msgstr "ÐÐ»Ñ Ð¸ÑполÑÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¿Ñавила, показанного <command>audit2allow -a</command>, вÑполниÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¸Ð½Ð´Ð¸Ð²Ð¸Ð´ÑалÑного модÑлÑ. ÐпÑÐ¸Ñ <option>-M</option> ÑÐ¾Ð·Ð´Ð°ÐµÑ Ñайл Type Enforcement (<filename>.te</filename>), Ñ Ð¸Ð¼ÐµÐ½ÐµÐ¼. ÑказаннÑм опÑией <option>-M</option>, в ÑекÑÑем каÑалоге:"
+
+#. Tag: para
+#, no-c-format
+msgid "Also, <command>audit2allow</command> compiles the Type Enforcement rule into a policy package (<filename>.pp</filename>). To install the module, run the <command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></command> command as the Linux root user."
+msgstr "Также, <command>audit2allow</command> компилиÑÑÐµÑ Ð¿Ñавила Type Enforcement в Ð¿Ð°ÐºÐµÑ Ð¿Ð¾Ð»Ð¸Ñики (<filename>.pp</filename>). ÐÐ»Ñ Ð¸Ð½ÑÑаллÑÑии модÑлÑ, иÑполÑзÑеÑÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ð° <command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></command> Ð¾Ñ Ð¸Ð¼ÐµÐ½Ð¸ полÑзоваÑÐµÐ»Ñ root."
+
+#. Tag: para
+#, no-c-format
+msgid "Modules created with <command>audit2allow</command> may allow more access than required. It is recommended that policy created with <command>audit2allow</command> be posted to an SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>, for review. If you believe their is a bug in policy, create a bug in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>."
+msgstr "ÐодÑли, ÑозданнÑе Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ <command>audit2allow</command> могÑÑ Ð¿ÑедоÑÑавиÑÑ Ð±Ð¾Ð»ÑÑе доÑÑÑпа Ñем ÑÑебÑеÑÑÑ. РекомендÑеÑÑÑ Ð¿ÑбликоваÑÑ Ð¿Ð¾Ð»Ð¸Ñики, ÑозданнÑе Ñ Ð¿Ð¾Ð¼Ð¾ÑÑÑ <command>audit2allow</command> в лиÑÑ SELinux. Ñакой как <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>, Ð´Ð»Ñ Ð¾Ð±Ð·Ð¾Ñа. ÐÑли ÐÑ ÑÑиÑаеÑе, ÑÑо ÑÑо оÑибка (bug) в полиÑике, ÑоздайÑе bug в <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>."
+
+#. Tag: para
+#, no-c-format
+msgid "If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the <command>grep</command> command to narrow down the input for <command>audit2allow</command>. The following example demonstrates using <command>grep</command> to only send denials related to <command>certwatch</command> through <command>audit2allow</command>:"
+msgstr "ÐÑли еÑÑÑ Ð¼Ð½Ð¾Ð¶ÐµÑÑво блокиÑовок Ð¾Ñ Ð¼Ð½Ð¾Ð¶ÐµÑÑва пÑоÑеÑÑов, но необÑ
одимо ÑоздаÑÑ Ð¸Ð½Ð´Ð¸Ð²Ð¸Ð´ÑалÑнÑÑ Ð¿Ð¾Ð»Ð¸ÑÐ¸ÐºÑ Ð´Ð»Ñ Ð¾Ð´Ð½Ð¾Ð³Ð¾ опÑеделенного пÑоÑеÑÑа, иÑполÑзÑйÑе ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>grep</command> Ð´Ð»Ñ ÑÑÐ¶ÐµÐ½Ð¸Ñ Ð²Ð²Ð¾Ð´Ð° команде <command>audit2allow</command>. Ð ÑледÑÑÑем пÑимеÑе демонÑÑÑиÑÑеÑÑÑ Ð¸ÑполÑзование ÐºÐ¾Ð¼Ð°Ð½Ð´Ñ <command>grep</command> Ð´Ð»Ñ Ð¾ÑпÑавки блокиÑовок. оÑноÑÑÑиÑ
ÑÑ ÑолÑко к <command>certwatch</command> Ð´Ð»Ñ <command>audit2allow</command>:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> blog entry for further information about using <command>audit2allow</command> to build policy modules."
+msgstr "Ð ÑооÑвеÑÑÑвии Ñ Ð±Ð»Ð¾Ð³Ð¾Ð¼ Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> дополниÑелÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑÐ¸Ñ Ð¾Ð± иÑполÑзовании <command>audit2allow</command> Ð´Ð»Ñ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¼Ð¾Ð´Ñлей полиÑик."
+
More information about the docs-commits
mailing list