r488 - community/trunk/SELinux_User_Guide/ru-RU

[transif at fedoraproject.org]

Author: transif
Date: 2010-11-20 08:42:31 +0000 (Sat, 20 Nov 2010)
New Revision: 488

Modified:
   community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po
Log:
l10n: Updates to Russian (ru) translation

Transmitted-via: Transifex (translate.fedoraproject.org)

Modified: community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po
===================================================================
--- community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po	2010-10-05 13:04:55 UTC (rev 487)
+++ community/trunk/SELinux_User_Guide/ru-RU/Troubleshooting.po	2010-11-20 08:42:31 UTC (rev 488)
@@ -1,1425 +1,903 @@
-# SOME DESCRIPTIVE TITLE.
-# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
-#
-#, fuzzy
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
-"POT-Creation-Date: 2010-04-15T00:19:32\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
-"Language-Team: LANGUAGE <kde-i18n-doc at kde.org>\n"
-"MIME-Version: 1.0\n"
-"Content-Type: application/x-xml2pot; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#. Tag: title
-#, no-c-format
-msgid "Troubleshooting"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following chapter describes what happens when SELinux denies access; the "
-"top three causes of problems; where to find information about correct "
-"labeling; analyzing SELinux denials; and creating custom policy modules with "
-"<command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "What Happens when Access is Denied"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"SELinux decisions, such as allowing or disallowing access, are cached. This "
-"cache is known as the Access Vector Cache (AVC). Denial messages are logged "
-"when SELinux denies access. These denials are also known as \"AVC denials\", "
-"and are logged to a different location, depending on which daemons are "
-"running:"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Daemon"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Log Location"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "auditd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<filename>/var/log/audit/audit.log</filename>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "auditd off; rsyslogd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<filename>/var/log/messages</filename>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "setroubleshootd, rsyslogd, and auditd on"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid ""
-"<filename>/var/log/audit/audit.log</filename>. Easier-to-read denial "
-"messages also sent to <filename>/var/log/messages</filename>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you are running the X Window System, have the <package>setroubleshoot</"
-"package> and <package>setroubleshoot-server</package> packages installed, "
-"and the <systemitem class=\"daemon\">setroubleshootd</systemitem> and "
-"<systemitem class=\"daemon\">auditd</systemitem> daemons are running, a "
-"warning is displayed when access is denied by SELinux:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Clicking on 'Show' presents a detailed analysis of why SELinux denied "
-"access, and a possible solution for allowing access. If you are not running "
-"the X Window System, it is less obvious when access is denied by SELinux. "
-"For example, users browsing your website may receive an error similar to the "
-"following:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For these situations, if DAC rules (standard Linux permissions) allow "
-"access, check <filename>/var/log/messages</filename> and <filename>/var/log/"
-"audit/audit.log</filename> for <computeroutput>\"SELinux is preventing\"</"
-"computeroutput> and <computeroutput>\"denied\"</computeroutput> errors "
-"respectively. This can be done by running the following commands as the "
-"Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>grep \"denied\" /var/log/audit/audit.log</command>"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Top Three Causes of Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following sections describe the top three causes of problems: labeling "
-"problems, configuring Booleans and ports for services, and evolving SELinux "
-"rules."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Labeling Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"On systems running SELinux, all processes and files are labeled with a label "
-"that contains security-relevant information. This information is called the "
-"SELinux context. If these labels are wrong, access may be denied. If an "
-"application is labeled incorrectly, the process it transitions to may not "
-"have the correct label, possibly causing SELinux to deny access, and the "
-"process being able to create mislabeled files."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A common cause of labeling problems is when a non-standard directory is used "
-"for a service. For example, instead of using <filename>/var/www/html/</"
-"filename> for a website, an administrator wants to use <filename>/srv/myweb/"
-"</filename>. On Fedora&nbsp;&PRODVER;, the <filename>/srv/</filename> "
-"directory is labeled with the <computeroutput>var_t</computeroutput> type. "
-"Files and directories created and <filename>/srv/</filename> inherit this "
-"type. Also, newly-created top-level directories (such as <filename>/myserver/"
-"</filename>) may be labeled with the <computeroutput>default_t</"
-"computeroutput> type. SELinux prevents the Apache HTTP Server (<systemitem "
-"class=\"daemon\">httpd</systemitem>) from accessing both of these types. To "
-"allow access, SELinux must know that the files in <filename>/srv/myweb/</"
-"filename> are to be accessible to <systemitem class=\"daemon\">httpd</"
-"systemitem>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This <command>semanage</command> command adds the context for the <filename>/"
-"srv/myweb/</filename> directory (and all files and directories under it) to "
-"the SELinux file-context configuration<footnote> <para> Files in <filename>/"
-"etc/selinux/targeted/contexts/files/</filename> define contexts for files "
-"and directories. Files in this directory are read by <command>restorecon</"
-"command> and <command>setfiles</command> to restore files and directories to "
-"their default contexts. </para> </footnote>. The <command>semanage</command> "
-"command does not change the context. As the Linux root user, run the "
-"<command>restorecon</command> command to apply the changes:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" /> "
-"for further information about adding contexts to the file-context "
-"configuration."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "What is the Correct Context?"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <command>matchpathcon</command> command checks the context of a file "
-"path and compares it to the default label for that path. The following "
-"example demonstrates using <command>matchpathcon</command> on a directory "
-"that contains incorrectly labeled files:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, the <filename>index.html</filename> and <filename>page1."
-"html</filename> files are labeled with the <computeroutput>user_home_t</"
-"computeroutput> type. This type is used for files in user home directories. "
-"Using the <command>mv</command> command to move files from your home "
-"directory may result in files being labeled with the "
-"<computeroutput>user_home_t</computeroutput> type. This type should not "
-"exist outside of home directories. Use the <command>restorecon</command> "
-"command to restore such files to their correct type:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To restore the context for all files under a directory, use the <option>-R</"
-"option> option:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" /> for a "
-"more detailed example of <command>matchpathcon</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "How are Confined Services Running?"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Services can be run in a variety of ways. To cater for this, you must tell "
-"SELinux how you are running services. This can be achieved via Booleans that "
-"allow parts of SELinux policy to be changed at runtime, without any "
-"knowledge of SELinux policy writing. This allows changes, such as allowing "
-"services access to NFS file systems, without reloading or recompiling "
-"SELinux policy. Also, running services on non-default port numbers requires "
-"policy configuration to be updated via the <command>semanage</command> "
-"command."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For example, to allow the Apache HTTP Server to communicate with MySQL, turn "
-"the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean on:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If access is denied for a particular service, use the <command>getsebool</"
-"command> and <command>grep</command> commands to see if any Booleans are "
-"available to allow access. For example, use the <command>getsebool -a | grep "
-"ftp</command> command to search for FTP related Booleans:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For a list of Booleans and whether they are on or off, run the <command>/usr/"
-"sbin/getsebool -a</command> command. For a list of Booleans, an explanation "
-"of what each one is, and whether they are on or off, run the <command>/usr/"
-"sbin/semanage boolean -l</command> command as the Linux root user. Refer to "
-"<xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans"
-"\" /> for information about listing and configuring Booleans."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Port Numbers"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Depending on policy configuration, services may only be allowed to run on "
-"certain port numbers. Attempting to change the port a service runs on "
-"without changing policy may result in the service failing to start. For "
-"example, run the <command>semanage port -l | grep http</command> command as "
-"the Linux root user to list <systemitem class=\"daemon\">http</systemitem> "
-"related ports:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput>http_port_t</computeroutput> port type defines the ports "
-"Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, "
-"488, 8008, 8009, and 8443. If an administrator configures <filename>httpd."
-"conf</filename> so that <systemitem class=\"daemon\">httpd</systemitem> "
-"listens on port 9876 (<option>Listen 9876</option>), but policy is not "
-"updated to reflect this, the <command>service httpd start</command> command "
-"fails:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"An SELinux denial similar to the following is logged to <filename>/var/log/"
-"audit/audit.log</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To allow <systemitem class=\"daemon\">httpd</systemitem> to listen on a port "
-"that is not listed for the <computeroutput>http_port_t</computeroutput> port "
-"type, run the <command>semanage port</command> command to add a port to "
-"policy configuration<footnote> <para> The <command>semanage port -a</"
-"command> command adds an entry to the <filename>/etc/selinux/targeted/"
-"modules/active/ports.local</filename> file. Note: by default, this file can "
-"only be viewed by the Linux root user. </para> </footnote>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <option>-a</option> option adds a new record; the <option>-t</option> "
-"option defines a type; and the <option>-p</option> option defines a "
-"protocol. The last argument is the port number to add."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Evolving Rules and Broken Applications"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Applications may be broken, causing SELinux to deny access. Also, SELinux "
-"rules are evolving - SELinux may not have seen an application running in a "
-"certain way, possibly causing it to deny access, even though the application "
-"is working as expected. For example, if a new version of PostgreSQL is "
-"released, it may perform actions the current policy has not seen before, "
-"causing access to be denied, even though access should be allowed."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"For these situations, after access is denied, use <command>audit2allow</"
-"command> to create a custom policy module to allow access. Refer to <xref "
-"linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-"
-"Allowing_Access_audit2allow\" /> for information about using "
-"<command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Fixing Problems"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following sections help troubleshoot issues. They go over: checking "
-"Linux permissions, which are checked before SELinux rules; possible causes "
-"of SELinux denying access, but no denials being logged; manual pages for "
-"services, which contain information about labeling and Booleans; permissive "
-"domains, for allowing one process to run permissive, rather than the whole "
-"system; how to search for and view denial messages; analyzing denials; and "
-"creating custom policy modules with <command>audit2allow</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Linux Permissions"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"When access is denied, check standard Linux permissions. As mentioned in "
-"<xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, most "
-"operating systems use a Discretionary Access Control (DAC) system to control "
-"access, allowing users to control the permissions of files that they own. "
-"SELinux policy rules are checked after DAC rules. SELinux policy rules are "
-"not used if DAC rules deny access first."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If access is denied and no SELinux denials are logged, use the <command>ls -"
-"l</command> command to view the standard Linux permissions:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, <filename>index.html</filename> is owned by the root user "
-"and group. The root user has read and write permissions (<computeroutput>-"
-"rw</computeroutput>), and members of the root group have read permissions "
-"(<computeroutput>-r-</computeroutput>). Everyone else has no access "
-"(<computeroutput>---</computeroutput>). By default, such permissions do not "
-"allow <systemitem class=\"daemon\">httpd</systemitem> to read this file. To "
-"resolve this issue, use the <command>chown</command> command to change the "
-"owner and group. This command must be run as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This assumes the default configuration, in which <systemitem class=\"daemon"
-"\">httpd</systemitem> runs as the Linux apache user. If you run <systemitem "
-"class=\"daemon\">httpd</systemitem> with a different user, replace "
-"<computeroutput>apache:apache</computeroutput> with that user."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to the <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/"
-"AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions"
-"\"</ulink> draft for information about managing Linux permissions."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Possible Causes of Silent Denials"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In certain situations, AVC denials may not be logged when SELinux denies "
-"access. Applications and system library functions often probe for more "
-"access than required to perform their tasks. To maintain least privilege "
-"without filling audit logs with AVC denials for harmless application "
-"probing, the policy can silence AVC denials without allowing a permission by "
-"using <computeroutput>dontaudit</computeroutput> rules. These rules are "
-"common in standard policy. The downside of <computeroutput>dontaudit</"
-"computeroutput> is that, although SELinux denies access, denial messages are "
-"not logged, making troubleshooting hard."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To temporarily disable <computeroutput>dontaudit</computeroutput> rules, "
-"allowing all denials to be logged, run the following command as the Linux "
-"root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semodule -DB</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <option>-D</option> option disables <computeroutput>dontaudit</"
-"computeroutput> rules; the <option>-B</option> option rebuilds policy. After "
-"running <command>semodule -DB</command>, try exercising the application that "
-"was encountering permission problems, and see if SELinux denials &mdash; "
-"relevant to the application &mdash; are now being logged. Take care in "
-"deciding which denials should be allowed, as some should be ignored and "
-"handled via <computeroutput>dontaudit</computeroutput> rules. If in doubt, "
-"or in search of guidance, contact other SELinux users and developers on an "
-"SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/"
-"fedora-selinux-list\">fedora-selinux-list</ulink>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To rebuild policy and enable <computeroutput>dontaudit</computeroutput> "
-"rules, run the following command as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semodule -B</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This restores the policy to its original state. For a full list of "
-"<computeroutput>dontaudit</computeroutput> rules, run the <command>sesearch "
-"--dontaudit</command> command. Narrow down searches using the <option>-s "
-"<replaceable>domain</replaceable></option> option and the <command>grep</"
-"command> command. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-"
-"Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Fixing_Problems-sealert_Messages\" /> for information about analyzing "
-"denials."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Manual Pages for Services"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Manual pages for services contain valuable information, such as what file "
-"type to use for a given situation, and Booleans to change the access a "
-"service has (such as <systemitem class=\"daemon\">httpd</systemitem> "
-"accessing NFS file systems). This information may be in the standard manual "
-"page, or a manual page with <computeroutput>selinux</computeroutput> "
-"prepended or appended."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "For example, the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "httpd_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page has information about what file type to use for a given "
-"situation, as well as Booleans to allow scripts, sharing files, accessing "
-"directories inside user home directories, and so on. Other manual pages with "
-"SELinux information for services include:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Samba: the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "samba_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that files and directories to be exported via Samba "
-"must be labeled with the <computeroutput>samba_share_t</computeroutput> "
-"type, as well as Booleans to allow files labeled with types other than "
-"<computeroutput>samba_share_t</computeroutput> to be exported via Samba."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "NFS: the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "nfs_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that, by default, file systems can not be exported via "
-"NFS, and that to allow file systems to be exported, Booleans such as "
-"<computeroutput>nfs_export_all_ro</computeroutput> or "
-"<computeroutput>nfs_export_all_rw</computeroutput> must be turned on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Berkeley Internet Name Domain (BIND): the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "named"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes what file type to use for a given situation (see the "
-"<computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> "
-"section). The"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "named_selinux"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page describes that, by default, <systemitem class=\"daemon\">named</"
-"systemitem> can not write to master zone files, and to allow such access, "
-"the <computeroutput>named_write_master_zones</computeroutput> Boolean must "
-"be turned on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The information in manual pages helps you configure the correct file types "
-"and Booleans, helping to prevent SELinux from denying access."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Permissive Domains"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"When SELinux is running in permissive mode, SELinux does not deny access, "
-"but denials are logged for actions that would have been denied if running in "
-"enforcing mode. Previously, it was not possible to make a single domain "
-"permissive (remember: processes run in domains). In certain situations, this "
-"led to making the whole system permissive to troubleshoot issues."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Fedora&nbsp;&PRODVER; includes permissive domains, where an administrator "
-"can configure a single process (domain) to run permissive, rather than "
-"making the whole system permissive. SELinux checks are still performed for "
-"permissive domains; however, the kernel allows access and reports an AVC "
-"denial for situations where SELinux would have denied access. Permissive "
-"domains are also available in Fedora 9 (with the latest updates applied)."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In Red Hat Enterprise Linux 4 and 5, <computeroutput><replaceable>domain</"
-"replaceable>_disable_trans</computeroutput> Booleans are available to "
-"prevent an application from transitioning to a confined domain, and "
-"therefore, the process runs in an unconfined domain, such as "
-"<computeroutput>initrc_t</computeroutput>. Turning such Booleans on can "
-"cause major problems. For example, if the "
-"<computeroutput>httpd_disable_trans</computeroutput> Boolean is turned on:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<systemitem class=\"daemon\">httpd</systemitem> runs in the unconfined "
-"<computeroutput>initrc_t</computeroutput> domain. Files created by processes "
-"running in the <computeroutput>initrc_t</computeroutput> domain may not have "
-"the same labeling rules applied as files created by a process running in the "
-"<computeroutput>httpd_t</computeroutput> domain, potentially allowing "
-"processes to create mislabeled files. This causes access problems later on."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"confined domains that are allowed to communicate with "
-"<computeroutput>httpd_t</computeroutput> can not communicate with "
-"<computeroutput>initrc_t</computeroutput>, possibly causing additional "
-"failures."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput><replaceable>domain</replaceable>_disable_trans</"
-"computeroutput> Booleans were removed from Fedora 7, even though there was "
-"no replacement. Permissive domains solve the above issues: transition rules "
-"apply, and files are created with the correct labels."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Permissive domains can be used for:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"making a single process (domain) run permissive to troubleshoot an issue, "
-"rather than putting the entire system at risk by making the entire system "
-"permissive."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"creating policies for new applications. Previously, it was recommended that "
-"a minimal policy be created, and then the entire machine put into permissive "
-"mode, so that the application could run, but SELinux denials still logged. "
-"<command>audit2allow</command> could then be used to help write the policy. "
-"This put the whole system at risk. With permissive domains, only the domain "
-"in the new policy can be marked permissive, without putting the whole system "
-"at risk."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Making a Domain Permissive"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To make a domain permissive, run the <command>semanage permissive -a "
-"<replaceable>domain</replaceable></command> command, where "
-"<replaceable>domain</replaceable> is the domain you want to make permissive. "
-"For example, run the following command as the Linux root user to make the "
-"<computeroutput>httpd_t</computeroutput> domain (the domain the Apache HTTP "
-"Server runs in) permissive:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To view a list of domains you have made permissive, run the "
-"<command>semodule -l | grep permissive</command> command as the Linux root "
-"user. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you no longer want a domain to be permissive, run the <command>semanage "
-"permissive -d <replaceable>domain</replaceable></command> command as the "
-"Linux root user. For example:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Denials for Permissive Domains"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <computeroutput>SYSCALL</computeroutput> message is different for "
-"permissive domains. The following is an example AVC denial (and the "
-"associated system call) from the Apache HTTP Server:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"By default, the <computeroutput>httpd_t</computeroutput> domain is not "
-"permissive, and as such, the action is denied, and the "
-"<computeroutput>SYSCALL</computeroutput> message contains "
-"<computeroutput>success=no</computeroutput>. The following is an example AVC "
-"denial for the same situation, except the <command>semanage permissive -a "
-"httpd_t</command> command has been run to make the <computeroutput>httpd_t</"
-"computeroutput> domain permissive:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this case, although an AVC denial was logged, access was not denied, as "
-"shown by <computeroutput>success=yes</computeroutput> in the "
-"<computeroutput>SYSCALL</computeroutput> message."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24537.html"
-"\">\"Permissive Domains\"</ulink> blog entry for further information about "
-"permissive domains."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Searching For and Viewing Denials"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"This section assumes the <package>setroubleshoot</package>, "
-"<package>setroubleshoot-server</package>, <package>dbus</package> and "
-"<package>audit</package> packages are installed, and that the <systemitem "
-"class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</"
-"systemitem>, and <systemitem class=\"daemon\">setroubleshootd</systemitem> "
-"daemons are running. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Working_with_SELinux-Which_Log_File_is_Used\" /> for information about "
-"starting these daemons. A number of tools are available for searching for "
-"and viewing SELinux denials, such as <command>ausearch</command>, "
-"<command>aureport</command>, and <command>sealert</command>."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "ausearch"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>audit</package> package provides <command>ausearch</command>. "
-"From the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>ausearch</command> is a tool that can query the "
-"audit daemon logs based for events based on different search criteria"
-"\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</"
-"refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as "
-"shipped with the <package>audit</package> package in Fedora&nbsp;&PRODVER;. "
-"</para> </footnote>. The <command>ausearch</command> tool accesses "
-"<filename>/var/log/audit/audit.log</filename>, and as such, must be run as "
-"the Linux root user:"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Searching For"
-msgstr ""
-
-#. Tag: segtitle
-#, no-c-format
-msgid "Command"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "all denials"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc</command>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "denials for that today"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -ts today</command>"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "denials from the last 10 minutes"
-msgstr ""
-
-#. Tag: seg
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -ts recent</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To search for SELinux denials for a particular service, use the <option>-c "
-"<replaceable>comm-name</replaceable></option> option, where "
-"<replaceable>comm-name</replaceable> \"is the executable’s name\"<footnote> "
-"<para> From the <citerefentry><refentrytitle>ausearch</"
-"refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as "
-"shipped with the <package>audit</package> package in Fedora&nbsp;&PRODVER;. "
-"</para> </footnote>, for example, <systemitem class=\"daemon\">httpd</"
-"systemitem> for the Apache HTTP Server, and <systemitem class=\"daemon"
-"\">smbd</systemitem> for Samba:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -c httpd</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "<command>/sbin/ausearch -m avc -c smbd</command>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "Refer to the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>ausearch</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "aureport"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>audit</package> package provides <command>aureport</command>. "
-"From the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>aureport</command> is a tool that produces summary "
-"reports of the audit system logs\"<footnote> <para> From the "
-"<citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</"
-"manvolnum></citerefentry> manual page, as shipped with the <package>audit</"
-"package> package in Fedora&nbsp;&PRODVER;. </para> </footnote>. The "
-"<command>aureport</command> tool accesses <filename>/var/log/audit/audit."
-"log</filename>, and as such, must be run as the Linux root user. To view a "
-"list of SELinux denials and how often each one occurred, run the "
-"<command>aureport -a</command> command. The following is example output that "
-"includes two denials:"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>aureport</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "sealert"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The <package>setroubleshoot-server</package> package provides "
-"<command>sealert</command>, which reads denial messages translated by "
-"<package>setroubleshoot-server</package>. Denials are assigned IDs, as seen "
-"in <filename>/var/log/messages</filename>. The following is an example "
-"denial from <filename>messages</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, the denial ID is <computeroutput>84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</computeroutput>. The <option>-l</option> option takes an ID as "
-"an argument. Running the <command>sealert -l 84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</command> command presents a detailed analysis of why SELinux "
-"denied access, and a possible solution for allowing access."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you are running the X Window System, have the <package>setroubleshoot</"
-"package> and <package>setroubleshoot-server</package> packages installed, "
-"and the <systemitem class=\"daemon\">setroubleshootd</systemitem>, "
-"<systemitem class=\"daemon\">dbus</systemitem> and <systemitem class=\"daemon"
-"\">auditd</systemitem> daemons are running, a warning is displayed when "
-"access is denied by SELinux. Clicking on 'Show' launches the "
-"<command>sealert</command> GUI, and displays denials in HTML output:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>sealert -b</command> command to launch the "
-"<command>sealert</command> GUI."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>sealert -l \\*</command> command to view a detailed "
-"analysis of all denials."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As the Linux root user, run the <command>sealert -a /var/log/audit/audit.log "
-"-H &gt; audit.html</command> command to create a HTML version of the "
-"<command>sealert</command> analysis, as seen with the <command>sealert</"
-"command> GUI."
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid "manual page for further <command>sealert</command> options."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Raw Audit Messages"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Raw audit messages are logged to <filename>/var/log/audit/audit.log</"
-"filename>. The following is an example AVC denial (and the associated system "
-"call) that occurred when the Apache HTTP Server (running in the "
-"<computeroutput>httpd_t</computeroutput> domain) attempted to access the "
-"<filename>/var/www/html/file1</filename> file (labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type):"
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "<replaceable>{ getattr }</replaceable>"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The item in braces indicates the permission that was denied. "
-"<computeroutput>getattr</computeroutput> indicates the source process was "
-"trying to read the target file's status information. This occurs before "
-"reading files. This action is denied due to the file being accessed having "
-"the wrong label. Commonly seen permissions include <computeroutput>getattr</"
-"computeroutput>, <computeroutput>read</computeroutput>, and "
-"<computeroutput>write</computeroutput>."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "comm=\"<replaceable>httpd</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The executable that launched the process. The full path of the executable is "
-"found in the <computeroutput>exe=</computeroutput> section of the system "
-"call (<computeroutput>SYSCALL</computeroutput>) message, which in this case, "
-"is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "path=\"<replaceable>/var/www/html/file1</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "The path to the object (target) the process attempted to access."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid ""
-"scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The SELinux context of the process that attempted the denied action. In this "
-"case, it is the SELinux context of the Apache HTTP Server, which is running "
-"in the <computeroutput>httpd_t</computeroutput> domain."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid ""
-"tcontext=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>"
-"\""
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The SELinux context of the object (target) the process attempted to access. "
-"In this case, it is the SELinux context of <filename>file1</filename>. Note: "
-"the <computeroutput>samba_share_t</computeroutput> type is not accessible to "
-"processes running in the <computeroutput>httpd_t</computeroutput> domain."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In certain situations, the <computeroutput>tcontext</computeroutput> may "
-"match the <computeroutput>scontext</computeroutput>, for example, when a "
-"process attempts to execute a system service that will change "
-"characteristics of that running process, such as the user ID. Also, the "
-"<computeroutput>tcontext</computeroutput> may match the "
-"<computeroutput>scontext</computeroutput> when a process tries to use more "
-"resources (such as memory) than normal limits allow, resulting in a security "
-"check to see if that process is allowed to break those limits."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"From the system call (<computeroutput>SYSCALL</computeroutput>) message, two "
-"items are of interest:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<computeroutput>success=<replaceable>no</replaceable></computeroutput>: "
-"indicates whether the denial (AVC) was enforced or not. "
-"<computeroutput>success=no</computeroutput> indicates the system call was "
-"not successful (SELinux denied access). <computeroutput>success=yes</"
-"computeroutput> indicates the system call was successful - this can be seen "
-"for permissive domains or unconfined domains, such as "
-"<computeroutput>initrc_t</computeroutput> and <computeroutput>kernel_t</"
-"computeroutput>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</"
-"computeroutput>: the full path to the executable that launched the process, "
-"which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</"
-"computeroutput>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"An incorrect file type is a common cause for SELinux denying access. To "
-"start troubleshooting, compare the source context (<computeroutput>scontext</"
-"computeroutput>) with the target context (<computeroutput>tcontext</"
-"computeroutput>). Should the process (<computeroutput>scontext</"
-"computeroutput>) be accessing such an object (<computeroutput>tcontext</"
-"computeroutput>)? For example, the Apache HTTP Server "
-"(<computeroutput>httpd_t</computeroutput>) should only be accessing types "
-"specified in the"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page, such as <computeroutput>httpd_sys_content_t</computeroutput>, "
-"<computeroutput>public_content_t</computeroutput>, and so on, unless "
-"configured otherwise."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "sealert Messages"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. "
-"The following is an example AVC denial (logged to <filename>messages</"
-"filename>) that occurred when the Apache HTTP Server (running in the "
-"<computeroutput>httpd_t</computeroutput> domain) attempted to access the "
-"<filename>/var/www/html/file1</filename> file (labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type):"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"As suggested, run the <command>sealert -l 84e0b04d-d0ad-4347-8317-"
-"22e74f6cd020</command> command to view the complete message. This command "
-"only works on the local machine, and presents the same information as the "
-"<command>sealert</command> GUI:"
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Summary"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A brief summary of the denied action. This is the same as the denial in "
-"<filename>/var/log/messages</filename>. In this example, the <systemitem "
-"class=\"daemon\">httpd</systemitem> process was denied access to a file "
-"(<filename>file1</filename>), which is labeled with the "
-"<computeroutput>samba_share_t</computeroutput> type."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Detailed Description"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A more verbose description. In this example, <filename>file1</filename> is "
-"labeled with the <computeroutput>samba_share_t</computeroutput> type. This "
-"type is used for files and directories that you want to export via Samba. "
-"The description suggests changing the type to a type that can be accessed by "
-"the Apache HTTP Server and Samba, if such access is desired."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Allowing Access"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A suggestion for how to allow access. This may be relabeling files, turning "
-"a Boolean on, or making a local policy module. In this case, the suggestion "
-"is to label the file with a type accessible to both the Apache HTTP Server "
-"and Samba."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Fix Command"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A suggested command to allow access and resolve the denial. In this example, "
-"it gives the command to change the <filename>file1</filename> type to "
-"<computeroutput>public_content_t</computeroutput>, which is accessible to "
-"the Apache HTTP Server and Samba."
-msgstr ""
-
-#. Tag: term
-#, no-c-format
-msgid "Additional Information"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Information that is useful in bug reports, such as the policy package name "
-"and version (<computeroutput>selinux-policy-3.5.13-11.fc12</"
-"computeroutput>), but may not help towards solving why the denial occurred."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The raw audit messages from <filename>/var/log/audit/audit.log</filename> "
-"that are associated with the denial. Refer to <xref linkend=\"sect-Security-"
-"Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> for information about "
-"each item in the AVC denial."
-msgstr ""
-
-#. Tag: title
-#, no-c-format
-msgid "Allowing Access: audit2allow"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Do not use the example in this section in production. It is used only to "
-"demonstrate the use of <command>audit2allow</command>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "From the"
-msgstr ""
-
-#. Tag: refentrytitle
-#, no-c-format
-msgid "audit2allow"
-msgstr ""
-
-#. Tag: citerefentry
-#, no-c-format
-msgid ""
-"manual page: \"<command>audit2allow</command> - generate SELinux policy "
-"allow rules from logs of denied operations\"<footnote> <para> From the "
-"<citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</"
-"manvolnum></citerefentry> manual page, as shipped with the "
-"<package>policycoreutils</package> package in Fedora&nbsp;&PRODVER;. </para> "
-"</footnote>. After analyzing denials as per <xref linkend=\"sect-Security-"
-"Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, and if no label "
-"changes or Booleans allowed access, use <command>audit2allow</command> to "
-"create a local policy module. After access is denied by SELinux, running the "
-"<command>audit2allow</command> command presents Type Enforcement rules that "
-"allow the previously denied access."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"The following example demonstrates using <command>audit2allow</command> to "
-"create a policy module:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"A denial and the associated system call are logged to <filename>/var/log/"
-"audit/audit.log</filename>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"In this example, <application>certwatch</application> (<computeroutput>comm="
-"\"certwatch\"</computeroutput>) was denied write access (<computeroutput>"
-"{ write }</computeroutput>) to a directory labeled with the "
-"<computeroutput>var_t</computeroutput> type "
-"(<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). "
-"Analyze the denial as per <xref linkend=\"sect-Security-Enhanced_Linux-"
-"Fixing_Problems-sealert_Messages\" />. If no label changes or Booleans "
-"allowed access, use <command>audit2allow</command> to create a local policy "
-"module."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"With a denial logged, such as the <computeroutput>certwatch</computeroutput> "
-"denial in step 1, run the <command>audit2allow -w -a</command> command to "
-"produce a human-readable description of why access was denied. The <option>-"
-"a</option> option causes all audit logs to be read. The <option>-w</option> "
-"option produces the human-readable description. The <command>audit2allow</"
-"command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as "
-"such, must be run as the Linux root user:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid "As shown, access was denied due to a missing Type Enforcement rule."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Run the <command>audit2allow -a</command> command to view the Type "
-"Enforcement rule that allows the denied access:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Missing Type Enforcement rules are usually caused by bugs in SELinux policy, "
-"and should be reported in <ulink url=\"https://bugzilla.redhat.com/\">Red "
-"Hat Bugzilla</ulink>. For Fedora, create bugs against the "
-"<computeroutput>Fedora</computeroutput> product, and select the "
-"<computeroutput>selinux-policy</computeroutput> component. Include the "
-"output of the <command>audit2allow -w -a</command> and <command>audit2allow -"
-"a</command> commands in such bug reports."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"To use the rule displayed by <command>audit2allow -a</command>, run the "
-"<command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command> "
-"command as the Linux root user to create custom module. The <option>-M</"
-"option> option creates a Type Enforcement file (<filename>.te</filename>) "
-"with the name specified with <option>-M</option>, in your current working "
-"directory:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Also, <command>audit2allow</command> compiles the Type Enforcement rule into "
-"a policy package (<filename>.pp</filename>). To install the module, run the "
-"<command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></"
-"command> command as the Linux root user."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Modules created with <command>audit2allow</command> may allow more access "
-"than required. It is recommended that policy created with "
-"<command>audit2allow</command> be posted to an SELinux list, such as <ulink "
-"url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-"
-"selinux-list</ulink>, for review. If you believe their is a bug in policy, "
-"create a bug in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat "
-"Bugzilla</ulink>."
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"If you have multiple denials from multiple processes, but only want to "
-"create a custom policy for a single process, use the <command>grep</command> "
-"command to narrow down the input for <command>audit2allow</command>. The "
-"following example demonstrates using <command>grep</command> to only send "
-"denials related to <command>certwatch</command> through "
-"<command>audit2allow</command>:"
-msgstr ""
-
-#. Tag: para
-#, no-c-format
-msgid ""
-"Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html"
-"\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> blog "
-"entry for further information about using <command>audit2allow</command> to "
-"build policy modules."
-msgstr ""
+# SOME DESCRIPTIVE TITLE.
+# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: SELinux User Guide\n"
+"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
+"POT-Creation-Date: 2010-04-15T00:19:32\n"
+"PO-Revision-Date: 2010-11-20 13:29+0500\n"
+"Last-Translator: Alexey Cicin <daydrim at gmail.com>\n"
+"Language-Team: trans-ru <trans-ru at lists.fedoraproject.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Poedit-Language: Russian\n"
+"X-Poedit-Country: RUSSIAN FEDERATION\n"
+"X-Poedit-SourceCharset: utf-8\n"
+
+#. Tag: title
+#, no-c-format
+msgid "Troubleshooting"
+msgstr "Поиск и устранение неисправностей"
+
+#. Tag: para
+#, no-c-format
+msgid "The following chapter describes what happens when SELinux denies access; the top three causes of problems; where to find information about correct labeling; analyzing SELinux denials; and creating custom policy modules with <command>audit2allow</command>."
+msgstr "В следующей главе описывается, что происходит, когда SELinux блокирует доступ: проблемы в решении вызывают три основных причины; где найти информацию о правильных метках; анализ отказов доступа SELinux; и создание специфически настроенных модулей с помощью <command>audit2allow</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "What Happens when Access is Denied"
+msgstr "Что происходит, когда блокируется доступ"
+
+#. Tag: para
+#, no-c-format
+msgid "SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. These denials are also known as \"AVC denials\", and are logged to a different location, depending on which daemons are running:"
+msgstr "Решения SELinux, такие как предоставление или блокирование доступа, кэшируются. Этот кэш называется Access Vector Cache (AVC) или кэш вектора доступа. Сообщения о блокировании доступа, журналируются, когда SELinux блокирует доступ. Эти отказы называются \"Блокировками AVC\" или \"AVC denials\" и журналируется в различные файлы, в зависимости от того, какой демон запущен:"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Daemon"
+msgstr "Демон"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Log Location"
+msgstr "Расположение файлов с журналами событий"
+
+#. Tag: seg
+#, no-c-format
+msgid "auditd on"
+msgstr "auditd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/audit/audit.log</filename>"
+msgstr "<filename>/var/log/audit/audit.log</filename>"
+
+#. Tag: seg
+#, no-c-format
+msgid "auditd off; rsyslogd on"
+msgstr "auditd off; rsyslogd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/messages</filename>"
+msgstr "<filename>/var/log/messages</filename>"
+
+#. Tag: seg
+#, no-c-format
+msgid "setroubleshootd, rsyslogd, and auditd on"
+msgstr "setroubleshootd, rsyslogd, and auditd on"
+
+#. Tag: seg
+#, no-c-format
+msgid "<filename>/var/log/audit/audit.log</filename>. Easier-to-read denial messages also sent to <filename>/var/log/messages</filename>"
+msgstr "<filename>/var/log/audit/audit.log</filename>. Проще читать сообщения о блокировках, дублируемые в <filename>/var/log/messages</filename>"
+
+#. Tag: para
+#, no-c-format
+msgid "If you are running the X Window System, have the <package>setroubleshoot</package> and <package>setroubleshoot-server</package> packages installed, and the <systemitem class=\"daemon\">setroubleshootd</systemitem> and <systemitem class=\"daemon\">auditd</systemitem> daemons are running, a warning is displayed when access is denied by SELinux:"
+msgstr "Если запущена X Window System, а также установлены пакеты <package>setroubleshoot</package> и <package>setroubleshoot-server</package>, и демоны <systemitem class=\"daemon\">setroubleshootd</systemitem> и <systemitem class=\"daemon\">auditd</systemitem> запущены, то, когда SELinux блокирует доступ, отображается предупреждение:"
+
+#. Tag: para
+#, no-c-format
+msgid "Clicking on 'Show' presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access. If you are not running the X Window System, it is less obvious when access is denied by SELinux. For example, users browsing your website may receive an error similar to the following:"
+msgstr "Нажатие на 'Show' показывает детальный анализ причин, почему SELinux блокировал доступ, и возможное решение для открытия доступа. Если система X Window System не запущена, событие блокировки доступа менее очевидно. Например, пользователи просматривающие веб-сайт могут получить ошибку похожую, на показанную ниже:"
+
+#. Tag: para
+#, no-c-format
+msgid "For these situations, if DAC rules (standard Linux permissions) allow access, check <filename>/var/log/messages</filename> and <filename>/var/log/audit/audit.log</filename> for <computeroutput>\"SELinux is preventing\"</computeroutput> and <computeroutput>\"denied\"</computeroutput> errors respectively. This can be done by running the following commands as the Linux root user:"
+msgstr "В таких ситуациях, если правила DAC (стандартные разрешения Linux) разрешают доступ, проверьте файлы <filename>/var/log/messages</filename> и <filename>/var/log/audit/audit.log</filename> на события <computeroutput>\"SELinux is preventing\"</computeroutput> и <computeroutput>\"denied\"</computeroutput>. Это можно выполнить, выполнив следующие команды от имени пользователя root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
+msgstr "<command>grep \"SELinux is preventing\" /var/log/messages</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>grep \"denied\" /var/log/audit/audit.log</command>"
+msgstr "<command>grep \"denied\" /var/log/audit/audit.log</command>"
+
+#. Tag: title
+#, no-c-format
+msgid "Top Three Causes of Problems"
+msgstr "Три основные причины возникновения проблем"
+
+#. Tag: para
+#, no-c-format
+msgid "The following sections describe the top three causes of problems: labeling problems, configuring Booleans and ports for services, and evolving SELinux rules."
+msgstr "В следующих разделах описываются три основные причины возникновения проблем: проблема меток, конфигурирование Булевых значений и портов для служб; и отслеживание правил SELinux."
+
+#. Tag: title
+#, no-c-format
+msgid "Labeling Problems"
+msgstr "Проблема Меток (проблема маркирования)"
+
+#. Tag: para
+#, no-c-format
+msgid "On systems running SELinux, all processes and files are labeled with a label that contains security-relevant information. This information is called the SELinux context. If these labels are wrong, access may be denied. If an application is labeled incorrectly, the process it transitions to may not have the correct label, possibly causing SELinux to deny access, and the process being able to create mislabeled files."
+msgstr "В системах с запущенным SELinux, все процессы и файлы маркированы метками, которые содержат информацию контекста безопасности. Эта информация называется контекстом SELinux. Если эти метки некорректны, доступ может блокироваться. Если приложение маркировано некорректно, процесс в который оно переходит может иметь некорректные метки, что возможно приведет к блокированию доступа SELinux, и такой процесс может создать некорректно маркированные файлы."
+
+#. Tag: para
+#, no-c-format
+msgid "A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using <filename>/var/www/html/</filename> for a website, an administrator wants to use <filename>/srv/myweb/</filename>. On Fedora&nbsp;&PRODVER;, the <filename>/srv/</filename> directory is labeled with the <computeroutput>var_t</computeroutput> type. Files and directories created and <filename>/srv/</filename> inherit this type. Also, newly-created top-level directories (such as <filename>/myserver/</filename>) may be labeled with the <computeroutput>default_t</computeroutput> type. SELinux prevents the Apache HTTP Server (<systemitem class=\"daemon\">httpd</systemitem>) from accessing both of these types. To allow access, SELinux must know that the files in <filename>/srv/myweb/</filename> are to be accessible to <systemitem class=\"daemon\">httpd</systemitem>:"
+msgstr "Основная причина проблем с маркированием - это использование нестандартных каталогов для служб. Например, вместо использования <filename>/var/www/html/</filename> для вебсайта, администратор  может использовать <filename>/srv/myweb/</filename> В Fedora&nbsp;&PRODVER;, каталог <filename>/srv/</filename> помечен типом <computeroutput>var_t</computeroutput>. Файлы и каталоги создаваемые в <filename>/srv/</filename> наследуют этот тип. Также вновь созданные каталоги корневого уровня, такие как <filename>/myserver/</filename>, могут быть помечены типом <computeroutput>default_t</computeroutput>. SELinux предотвращает Apache HTTP Server (<systemitem class=\"daemon\">httpd</systemit
 em>) от получения доступа к этим типам. Для предоставления доступа, SELinux должен знать о том, что файлы в <filename>/srv/myweb/</filename> доступны <systemitem class=\"daemon\">httpd</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid "This <command>semanage</command> command adds the context for the <filename>/srv/myweb/</filename> directory (and all files and directories under it) to the SELinux file-context configuration<footnote> <para> Files in <filename>/etc/selinux/targeted/contexts/files/</filename> define contexts for files and directories. Files in this directory are read by <command>restorecon</command> and <command>setfiles</command> to restore files and directories to their default contexts. </para> </footnote>. The <command>semanage</command> command does not change the context. As the Linux root user, run the <command>restorecon</command> command to apply the changes:"
+msgstr "Команда <command>semanage</command> добавляет контекст к каталогу <filename>/srv/myweb/</filename> (и всем файлам и каталогам в нём) к конфигурации контекста SELinux<footnote> <para> Файлы в <filename>/etc/selinux/targeted/contexts/files/</filename> определяют контексты для файлов и каталогов. Файлы в этом каталоге считываются  <command>restorecon</command> и <command>setfiles</command> для восстановления контекстов к их значениям по-умочанию. </para> </footnote>. Команда <command>semanage</command> не изменяет контекста. От имени пользователя root, выполните команду <command>restorecon</command> для применения изменений:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" /> for further information about adding contexts to the file-context configuration."
+msgstr "Дополнительная информаци о добавлении контекстов к конфигурации доступна в разделе <xref linkend=\"sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "What is the Correct Context?"
+msgstr "Как определить правильный контекст?"
+
+#. Tag: para
+#, no-c-format
+msgid "The <command>matchpathcon</command> command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using <command>matchpathcon</command> on a directory that contains incorrectly labeled files:"
+msgstr "Команда <command>matchpathcon</command> проверяет контекст для файла и сверяет с его контекстом по умолчанию. В следующем примере демонстрируется использование <command>matchpathcon</command> для каталога, который содержит некорректно маркированные файлы:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, the <filename>index.html</filename> and <filename>page1.html</filename> files are labeled with the <computeroutput>user_home_t</computeroutput> type. This type is used for files in user home directories. Using the <command>mv</command> command to move files from your home directory may result in files being labeled with the <computeroutput>user_home_t</computeroutput> type. This type should not exist outside of home directories. Use the <command>restorecon</command> command to restore such files to their correct type:"
+msgstr "В этом примере файлы <filename>index.html</filename> и <filename>page1.html</filename> помечены типом <computeroutput>user_home_t</computeroutput>. Этот тип используется для файлов в домашних каталогах пользователей. Используя команду <command>mv</command> для перемещения файлов из вашего домашнего каталога может привести к тому, что файлы будут маркированы типом <computeroutput>user_home_t</computeroutput>. Этот тип не должен существовать вне домашних каталогов. Используйте команду <command>restorecon</command> для восстановления корректного типа таких файлов:"
+
+#. Tag: para
+#, no-c-format
+msgid "To restore the context for all files under a directory, use the <option>-R</option> option:"
+msgstr "Для восстановления контекста всех файлов в каталоге используйте опцию <option>-R</option>:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" /> for a more detailed example of <command>matchpathcon</command>."
+msgstr "Дополнительные примеры использования <command>matchpathcon</command> доступны по ссылке: <xref linkend=\"sect-Security-Enhanced_Linux-Maintaining_SELinux_Labels_-Checking_the_Default_SELinux_Context\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "How are Confined Services Running?"
+msgstr "Как работают ограниченные службы?"
+
+#. Tag: para
+#, no-c-format
+msgid "Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the <command>semanage</command> command."
+msgstr "Службы могут работать в нескольких режимах. Для того, чтобы обеспечить режимы, необходимо сообщить SELinux как необходимо запускать службы. Это может быть достигнуто через Булевы переменные, которые позволяют частям политики SELinux изменяться в рабочем режиме, без понимания написания политики SELinux. Это позволяет вносить изменения, такие, как доступ к файловым системам NFS, без перегрузки или рекомпиляции политики SELinux. Также запуск служб на нестандартном порту требует изменения политики с помощью команды <command>semanage</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "For example, to allow the Apache HTTP Server to communicate with MySQL, turn the <computeroutput>httpd_can_network_connect_db</computeroutput> Boolean on:"
+msgstr "Например для разрешения Apache HTTP Server связываться с MySQL, переключите Булево значение <computeroutput>httpd_can_network_connect_db</computeroutput> в состояние включено (on):"
+
+#. Tag: para
+#, no-c-format
+msgid "If access is denied for a particular service, use the <command>getsebool</command> and <command>grep</command> commands to see if any Booleans are available to allow access. For example, use the <command>getsebool -a | grep ftp</command> command to search for FTP related Booleans:"
+msgstr "Если доступ заблокирован для определенной службы, используйте команды <command>getsebool</command> и <command>grep</command>, для просмотра есть ли Булевы переменные для предоставления доступа. Например, используйте команду <command>getsebool -a | grep ftp</command> для поиска соответствующих Булевых значений для FTP:"
+
+#. Tag: para
+#, no-c-format
+msgid "For a list of Booleans and whether they are on or off, run the <command>/usr/sbin/getsebool -a</command> command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the <command>/usr/sbin/semanage boolean -l</command> command as the Linux root user. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans\" /> for information about listing and configuring Booleans."
+msgstr "Для просмотра Булевых значений и определения включены они или выключены, выполните команду <command>/usr/sbin/getsebool -a</command>. Для просмотра списка Булевых значений и определения их назначения, а также их состояния, выполните команду <command>/usr/sbin/semanage boolean -l</command> от имени пользователя root. Дополнительная информация о списках и конфигурировании Булевых значений доступна в разделе: <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans\" />"
+
+#. Tag: title
+#, no-c-format
+msgid "Port Numbers"
+msgstr "Номера портов"
+
+#. Tag: para
+#, no-c-format
+msgid "Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the <command>semanage port -l | grep http</command> command as the Linux root user to list <systemitem class=\"daemon\">http</systemitem> related ports:"
+msgstr "В зависимости от конфигурации политики, службам может быть разрешено работать только на определенном диапазоне портов. Попытка изменить порт службы без изменения политики, может привести к невозможности запуска службы. Например, выполните команду <command>semanage port -l | grep http</command> от имени пользователя root для просмотра разрешенных портов относящихся к <systemitem class=\"daemon\">http</systemitem>:"
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput>http_port_t</computeroutput> port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures <filename>httpd.conf</filename> so that <systemitem class=\"daemon\">httpd</systemitem> listens on port 9876 (<option>Listen 9876</option>), but policy is not updated to reflect this, the <command>service httpd start</command> command fails:"
+msgstr "Тип порта <computeroutput>http_port_t</computeroutput> определяет порт, который Apache HTTP Server может слушать, которые, в нашем случае, TCP 80, 443,488, 8008, 8009 и 8443. Если администратор сконфигурировал <filename>httpd.conf</filename> так, что <systemitem class=\"daemon\">httpd</systemitem> слушает порт 9876 (<option>Listen 9876</option>), но политика не обновлена в соответствии с этим изменением, то команда <command>service httpd start</command> завершится с ошибкой:"
+
+#. Tag: para
+#, no-c-format
+msgid "An SELinux denial similar to the following is logged to <filename>/var/log/audit/audit.log</filename>:"
+msgstr "Отказ в доступе SELinux будет схож со следующим событием, записанным в <filename>/var/log/audit/audit.log</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "To allow <systemitem class=\"daemon\">httpd</systemitem> to listen on a port that is not listed for the <computeroutput>http_port_t</computeroutput> port type, run the <command>semanage port</command> command to add a port to policy configuration<footnote> <para> The <command>semanage port -a</command> command adds an entry to the <filename>/etc/selinux/targeted/modules/active/ports.local</filename> file. Note: by default, this file can only be viewed by the Linux root user. </para> </footnote>:"
+msgstr "Для разрешения <systemitem class=\"daemon\">httpd</systemitem> слушать порт, который не перечислен в типе <computeroutput>http_port_t</computeroutput>, выполните команду <command>semanage port</command> для добавления порта в политику<footnote> <para> Команда <command>semanage port -a</command> добавляет запись в файл <filename>/etc/selinux/targeted/modules/active/ports.local</filename>. Примечание: по умолчанию, этот файл может быть просмотрен только пользователем root. </para> </footnote>:"
+
+#. Tag: para
+#, no-c-format
+msgid "The <option>-a</option> option adds a new record; the <option>-t</option> option defines a type; and the <option>-p</option> option defines a protocol. The last argument is the port number to add."
+msgstr "Опция <option>-a</option> добавляет новую запись; опция <option>-t</option> определяет тип, а опция <option>-p</option> определяет протокол. Последний аргумент - это номер добавляемого порта."
+
+#. Tag: title
+#, no-c-format
+msgid "Evolving Rules and Broken Applications"
+msgstr "Разбор правил и нарушенная работа приложений"
+
+#. Tag: para
+#, no-c-format
+msgid "Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving - SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed."
+msgstr "Работа приложения может быть нарушена, по причине блокировок доступа SELinux. Такие правила SELinux необходимо разбирать детально - SELinux может не определять приложение работающее по своим правилам, даже если приложение работает в штатном режиме. Например, если выпущена новая версия PostgreSQL, она может выполнять действия, о которых текущая политика SELinux не знает, приводя к отказу в доступе, даже если доступ должен быть предоставлен."
+
+#. Tag: para
+#, no-c-format
+msgid "For these situations, after access is denied, use <command>audit2allow</command> to create a custom policy module to allow access. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow\" /> for information about using <command>audit2allow</command>."
+msgstr "Для таких ситуаций, если доступ блокирован, используйте <command>audit2allow</command> для создания специфичного модуля политики для предоставления доступа. Дополнительная информация об использовании <command>audit2allow</command> доступна в разделе <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "Fixing Problems"
+msgstr "Устранение проблем"
+
+#. Tag: para
+#, no-c-format
+msgid "The following sections help troubleshoot issues. They go over: checking Linux permissions, which are checked before SELinux rules; possible causes of SELinux denying access, but no denials being logged; manual pages for services, which contain information about labeling and Booleans; permissive domains, for allowing one process to run permissive, rather than the whole system; how to search for and view denial messages; analyzing denials; and creating custom policy modules with <command>audit2allow</command>."
+msgstr "В следующих разделах рассматриваются вопросы поиска и устранения неисправностей и проблем. В них рассматривается: проверка разрешений Linux, что должно проверяться перед правилами SELinux; возможные причины блокировки доступа SELinux, с условием отсутствия сообщений в лог-файлах; страницы руководства (manual pages) для служб, которые содержат информацию о метках и Булевых значениях; разрешенные (permissive) домены, для разрешения одному процессу работать в разрешительном режиме, а не только всей системе телеком; способы поиска и просмотра сообщени
 й об отказах в доступе; анализ отказов в доступе; и создание индивидуальных модулей политики с помощью <command>audit2allow</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "Linux Permissions"
+msgstr "Разрешения Linux"
+
+#. Tag: para
+#, no-c-format
+msgid "When access is denied, check standard Linux permissions. As mentioned in <xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, most operating systems use a Discretionary Access Control (DAC) system to control access, allowing users to control the permissions of files that they own. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first."
+msgstr "Если доступ блокируется, проверьте стандартные разрешения Linux. Как упоминается в <xref linkend=\"chap-Security-Enhanced_Linux-Introduction\" />, большинство операционных систем использует Дискреционный Контроль Доступа Discretionary Access Control (DAC) для управления доступом, позволяя пользователям контролировать разрешения над файлами, которыми они владеют. Правила политики SELinux проверяются после правил DAC. Правила политики SELinux не используются, если правила DAC блокировали доступ первыми."
+
+#. Tag: para
+#, no-c-format
+msgid "If access is denied and no SELinux denials are logged, use the <command>ls -l</command> command to view the standard Linux permissions:"
+msgstr "Если доступ блокирован и нет никаких сообщений о блокировках SELinux, используйте команду <command>ls -l</command> для просмотра стандартных разрешений Linux:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, <filename>index.html</filename> is owned by the root user and group. The root user has read and write permissions (<computeroutput>-rw</computeroutput>), and members of the root group have read permissions (<computeroutput>-r-</computeroutput>). Everyone else has no access (<computeroutput>---</computeroutput>). By default, such permissions do not allow <systemitem class=\"daemon\">httpd</systemitem> to read this file. To resolve this issue, use the <command>chown</command> command to change the owner and group. This command must be run as the Linux root user:"
+msgstr "В этом примере, владельцем файла <filename>index.html</filename> является пользователь и группа root. У пользователя root есть права на чтение и запись (<computeroutput>-rw</computeroutput>), и у членов группы root есть разрешение на чтение (<computeroutput>-r-</computeroutput>). У группы Everyone нет доступа (<computeroutput>---</computeroutput>). По умолчанию, такие разрешения не разрешают  <systemitem class=\"daemon\">httpd</systemitem> читать этот файл. Для решения этой проблемы, используйте команду <command>chown</command> для смены владельца и группы. Эта команда должна быть выполнена от имени пользователя root:"
+
+#. Tag: para
+#, no-c-format
+msgid "This assumes the default configuration, in which <systemitem class=\"daemon\">httpd</systemitem> runs as the Linux apache user. If you run <systemitem class=\"daemon\">httpd</systemitem> with a different user, replace <computeroutput>apache:apache</computeroutput> with that user."
+msgstr "Данные действия подразумевают конфигурацию по умолчанию, в которой <systemitem class=\"daemon\">httpd</systemitem> работает от имени пользователя apache. Если <systemitem class=\"daemon\">httpd</systemitem> запускается от имени другого пользователя, замените <computeroutput>apache:apache</computeroutput> на этого пользователя."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions\"</ulink> draft for information about managing Linux permissions."
+msgstr "Дополнительная информация об управлении разрешениями Linux доступна по ссылке <ulink url=\"http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Permissions\">Fedora Documentation Project \"Permissions\"</ulink>."
+
+#. Tag: title
+#, no-c-format
+msgid "Possible Causes of Silent Denials"
+msgstr "Возможные причины блокировок без оповещения"
+
+#. Tag: para
+#, no-c-format
+msgid "In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using <computeroutput>dontaudit</computeroutput> rules. These rules are common in standard policy. The downside of <computeroutput>dontaudit</computeroutput> is that, although SELinux denies access, denial messages are not logged, making troubleshooting hard."
+msgstr "Ð’ некоторых ситуациях, блокировки AVC могут не журналироваться, когда SELinux блокирует доступ. Приложения и функции системных библиотек часто требуют большего доступа, чем нужно, для выполнения своих задач. Для поддержки минимальных доступов без заполнения журналов аудита, блокировками AVC о безвредных запросах приложений, политика может выполнять блокировки AVC без сообщений,  не разрешая доступ, используя правила <computeroutput>dontaudit</computeroutput>. Эти правила общие в стандартной политике. Плохая сторона <computeroutput>dontaudit</computeroutput> заключается в Ñ‚Ð
 ¾Ð¼, что, хотя SELinux блокирует доступ, сообщения о блокировке не журналируются, таким образом, делая разбор и устранение ошибок сложным."
+
+#. Tag: para
+#, no-c-format
+msgid "To temporarily disable <computeroutput>dontaudit</computeroutput> rules, allowing all denials to be logged, run the following command as the Linux root user:"
+msgstr "Для временного отключения правил <computeroutput>dontaudit</computeroutput>, позволяющим всем блокировкам журналироваться, выполните следующую команду от имени пользователя root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semodule -DB</command>"
+msgstr "<command>/usr/sbin/semodule -DB</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "The <option>-D</option> option disables <computeroutput>dontaudit</computeroutput> rules; the <option>-B</option> option rebuilds policy. After running <command>semodule -DB</command>, try exercising the application that was encountering permission problems, and see if SELinux denials &mdash; relevant to the application &mdash; are now being logged. Take care in deciding which denials should be allowed, as some should be ignored and handled via <computeroutput>dontaudit</computeroutput> rules. If in doubt, or in search of guidance, contact other SELinux users and developers on an SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>."
+msgstr "Опция <option>-D</option> отключает правила <computeroutput>dontaudit</computeroutput>; опция <option>-B</option> перестраивает политику. После выполнения команды <command>semodule -DB</command>, попробуйте изучить приложение, встречающее проблемы в разрешениях и просмотрите блокировки SELinux &mdash; относящиеся к приложению &mdash;, которые теперь содержатся в лог-файлах. Позаботьтесь о принятии решений, какие правила разрешить, а какие проигнорировать через правила <computeroutput>dontaudit</computeroutput>. Если есть сомнения или требуется совет, свяжитесь с пользователями и разработчиками SELinux: <ulink url=\"
 http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>."
+
+#. Tag: para
+#, no-c-format
+msgid "To rebuild policy and enable <computeroutput>dontaudit</computeroutput> rules, run the following command as the Linux root user:"
+msgstr "Для перестройки политики и включения правил <computeroutput>dontaudit</computeroutput>, выполните команду от имени пользователя root:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semodule -B</command>"
+msgstr "<command>/usr/sbin/semodule -B</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "This restores the policy to its original state. For a full list of <computeroutput>dontaudit</computeroutput> rules, run the <command>sesearch --dontaudit</command> command. Narrow down searches using the <option>-s <replaceable>domain</replaceable></option> option and the <command>grep</command> command. For example:"
+msgstr "Данная команда восстанавливает политику к её исходному состоянию. Для вывода всех правил <computeroutput>dontaudit</computeroutput>, выполните команду <command>sesearch --dontaudit</command>. Сузить поиск можно с использованием опции <option>-s <replaceable>domain</replaceable></option> и команды <command>grep</command>. Например:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" /> for information about analyzing denials."
+msgstr "Информация об анализе блокировок доступна в разделах: <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> and <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />."
+
+#. Tag: title
+#, no-c-format
+msgid "Manual Pages for Services"
+msgstr "Cтраницы руководства (manual pages) для служб"
+
+#. Tag: para
+#, no-c-format
+msgid "Manual pages for services contain valuable information, such as what file type to use for a given situation, and Booleans to change the access a service has (such as <systemitem class=\"daemon\">httpd</systemitem> accessing NFS file systems). This information may be in the standard manual page, or a manual page with <computeroutput>selinux</computeroutput> prepended or appended."
+msgstr "Страницы руководства для служб содержат важную информацию, такую как, какой тип файла используется в определенной ситуации, и какие Булевы переменные необходимо изменить для предоставления доступа службе (такой как <systemitem class=\"daemon\">httpd</systemitem>, получающей доступ к файловым системам NFS). Информация может быть в стандартной странице руководства или странице руководства с добавленным разделом <computeroutput>selinux</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "For example, the"
+msgstr "Например, страница руководства"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "httpd_selinux"
+msgstr "httpd_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page has information about what file type to use for a given situation, as well as Booleans to allow scripts, sharing files, accessing directories inside user home directories, and so on. Other manual pages with SELinux information for services include:"
+msgstr "содержит информацию о том, какой тип файла используется, какие Булевы переменные разрешают скрипты, публикацию файлов, доступ к каталогам внутри домашних каталогов и так далее. Другие страницы руководства с информацией о SELinux для служб включают:"
+
+#. Tag: para
+#, no-c-format
+msgid "Samba: the"
+msgstr "Samba: страница руководства"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "samba_selinux"
+msgstr "samba_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that files and directories to be exported via Samba must be labeled with the <computeroutput>samba_share_t</computeroutput> type, as well as Booleans to allow files labeled with types other than <computeroutput>samba_share_t</computeroutput> to be exported via Samba."
+msgstr "содержит информацию о файлах и каталогах, которые могут быть экспортированы через самбу, помеченные типом <computeroutput>samba_share_t</computeroutput>, а также о Булевых переменных, разрешающих экспортировать через Samba файлы помеченные типом отличным от <computeroutput>samba_share_t</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "NFS: the"
+msgstr "NFS: страница руководства"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "nfs_selinux"
+msgstr "nfs_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that, by default, file systems can not be exported via NFS, and that to allow file systems to be exported, Booleans such as <computeroutput>nfs_export_all_ro</computeroutput> or <computeroutput>nfs_export_all_rw</computeroutput> must be turned on."
+msgstr "содержит информацию о том, что по умолчанию файловые системы не могут быть экспортированы через NFS; и для разрешения экспорта файловых систем, Булевы переменные, такие как <computeroutput>nfs_export_all_ro</computeroutput> или <computeroutput>nfs_export_all_rw</computeroutput> должны быть включены."
+
+#. Tag: para
+#, no-c-format
+msgid "Berkeley Internet Name Domain (BIND): the"
+msgstr "Berkeley Internet Name Domain (BIND): страница руководства"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "named"
+msgstr "named"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes what file type to use for a given situation (see the <computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> section). The"
+msgstr "содержит информацию о том, какой тип файла используется в данной ситуации (раздел <computeroutput>Red Hat SELinux BIND Security Profile</computeroutput> section). Страница руководства"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "named_selinux"
+msgstr "named_selinux"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page describes that, by default, <systemitem class=\"daemon\">named</systemitem> can not write to master zone files, and to allow such access, the <computeroutput>named_write_master_zones</computeroutput> Boolean must be turned on."
+msgstr "содержит информацию о том, что по умолчанию,  <systemitem class=\"daemon\">named</systemitem> не может осуществлять запись в файлы зон, и для разрешения такого доступа Булева переменная <computeroutput>named_write_master_zones</computeroutput> должна быть включена."
+
+#. Tag: para
+#, no-c-format
+msgid "The information in manual pages helps you configure the correct file types and Booleans, helping to prevent SELinux from denying access."
+msgstr "Информация в страницах руководства помогает настроить корректные типы файлов и Булевы переключатели, предотвращая SELinux от блокирования доступа."
+
+#. Tag: title
+#, no-c-format
+msgid "Permissive Domains"
+msgstr "Разрешающие домены (Permissive Domains)"
+
+#. Tag: para
+#, no-c-format
+msgid "When SELinux is running in permissive mode, SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Previously, it was not possible to make a single domain permissive (remember: processes run in domains). In certain situations, this led to making the whole system permissive to troubleshoot issues."
+msgstr "Когда SELinux запущен в разрешающем режиме, SELinux не блокирует доступ, но блокировки журналируются как действия, которые были бы блокированы, если запущен принудительный режим. Раньше, не было возможности сделать определенный домен разрешающим (помните: процессы запускаются в доменах). В некоторых ситуациях, это ведет к тому, чтобы сделать всю систему разрешающей для диагностики и исправления ошибок."
+
+#. Tag: para
+#, no-c-format
+msgid "Fedora&nbsp;&PRODVER; includes permissive domains, where an administrator can configure a single process (domain) to run permissive, rather than making the whole system permissive. SELinux checks are still performed for permissive domains; however, the kernel allows access and reports an AVC denial for situations where SELinux would have denied access. Permissive domains are also available in Fedora 9 (with the latest updates applied)."
+msgstr "Fedora&nbsp;&PRODVER; включает разрешающие домены, где администратор может сконфигурировать определенный процесс (домен) для запуска в разрешающем режиме, вместо того, чтобы всю систему перевести в разрешающий режим. SELinux всё равно выполняет проверки разрешающих доменов; однако, ядро предоставляет доступ и сообщает AVC об отказах в доступе, когда SELinux блокирует доступ. Разрешающие домены доступны также и в Fedora 9 (с установленными последними обновлениями)."
+
+#. Tag: para
+#, no-c-format
+msgid "In Red Hat Enterprise Linux 4 and 5, <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> Booleans are available to prevent an application from transitioning to a confined domain, and therefore, the process runs in an unconfined domain, such as <computeroutput>initrc_t</computeroutput>. Turning such Booleans on can cause major problems. For example, if the <computeroutput>httpd_disable_trans</computeroutput> Boolean is turned on:"
+msgstr "В Red Hat Enterprise Linux 4 and 5, доступны Булевы переключатели <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> для предотвращения приложений выполнения переходов (transitions) в ограниченный домен, кроме того, процесс, запускается в неограниченном домене, таком как <computeroutput>initrc_t</computeroutput>. Настройка подобных Булевых значений может привести к возникновению значительных проблем. Например, если Булево значение <computeroutput>httpd_disable_trans</computeroutput>  включено:"
+
+#. Tag: para
+#, no-c-format
+msgid "<systemitem class=\"daemon\">httpd</systemitem> runs in the unconfined <computeroutput>initrc_t</computeroutput> domain. Files created by processes running in the <computeroutput>initrc_t</computeroutput> domain may not have the same labeling rules applied as files created by a process running in the <computeroutput>httpd_t</computeroutput> domain, potentially allowing processes to create mislabeled files. This causes access problems later on."
+msgstr "<systemitem class=\"daemon\">httpd</systemitem> запустится в неограниченном <computeroutput>initrc_t</computeroutput> домене. Файлы созданные таким процессом, запущенном в <computeroutput>initrc_t</computeroutput> домене, могут не получить меток безопасности, которые получат файлы, созданные в домене <computeroutput>httpd_t</computeroutput>, потенциально позволяя процессам создавать некорректно промаркированные файлы. В дальнейшем такие ситуации вызывают проблемы."
+
+#. Tag: para
+#, no-c-format
+msgid "confined domains that are allowed to communicate with <computeroutput>httpd_t</computeroutput> can not communicate with <computeroutput>initrc_t</computeroutput>, possibly causing additional failures."
+msgstr "ограниченный домены, которым разрешено взаимодействовать с <computeroutput>httpd_t</computeroutput>, не разрешено взаимодействовать с <computeroutput>initrc_t</computeroutput>, возможно такие ситуации приводят к дополнительным проблемам."
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> Booleans were removed from Fedora 7, even though there was no replacement. Permissive domains solve the above issues: transition rules apply, and files are created with the correct labels."
+msgstr "Булевы значения <computeroutput><replaceable>domain</replaceable>_disable_trans</computeroutput> были удалены из Fedora 7, и для них не подразумевается никакой замены. Разрешающие домены решают подобные ситуации: правила переходов применяются и файлы создаются с корректными метками."
+
+#. Tag: para
+#, no-c-format
+msgid "Permissive domains can be used for:"
+msgstr "Разрешающие домены могут быть использованы для:"
+
+#. Tag: para
+#, no-c-format
+msgid "making a single process (domain) run permissive to troubleshoot an issue, rather than putting the entire system at risk by making the entire system permissive."
+msgstr "Перевести работу определенного процесса (домена) в разрешающий режим для анализа и выявления проблем, вместо подвержения риску целой системы, засчет перевода системы в разрешающий режим."
+
+#. Tag: para
+#, no-c-format
+msgid "creating policies for new applications. Previously, it was recommended that a minimal policy be created, and then the entire machine put into permissive mode, so that the application could run, but SELinux denials still logged. <command>audit2allow</command> could then be used to help write the policy. This put the whole system at risk. With permissive domains, only the domain in the new policy can be marked permissive, without putting the whole system at risk."
+msgstr "создания политик для нового приложения. Раньше, рекомендовалось, создавать минимальную политику, и затем вся машина перемещалась в разрешающий режим, так, чтобы приложения могло выполниться, но блокировки SELinux всё равно логировались. Дальше команда <command>audit2allow</command> могла быть использована для создания политики. Это делает всю систему уязвимой. С использованием разрешающих доменов, только домен в новой политике помечается как разрешающий, без риска уязвимости всей системы."
+
+#. Tag: title
+#, no-c-format
+msgid "Making a Domain Permissive"
+msgstr "Подготовка разрешающего домена"
+
+#. Tag: para
+#, no-c-format
+msgid "To make a domain permissive, run the <command>semanage permissive -a <replaceable>domain</replaceable></command> command, where <replaceable>domain</replaceable> is the domain you want to make permissive. For example, run the following command as the Linux root user to make the <computeroutput>httpd_t</computeroutput> domain (the domain the Apache HTTP Server runs in) permissive:"
+msgstr "Для того чтобы сделать домен разрешающим, необходимо выполнить команду <command>semanage permissive -a <replaceable>domain</replaceable></command>, где <replaceable>domain</replaceable> - это домен, который нужно сделать разрешающим. Например, выполнение следующей команды от имени пользователя root, сделает домен <computeroutput>httpd_t</computeroutput> (домен, в котором запускается Apache HTTP Server) разрешающим:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
+msgstr "<command>/usr/sbin/semanage permissive -a httpd_t</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "To view a list of domains you have made permissive, run the <command>semodule -l | grep permissive</command> command as the Linux root user. For example:"
+msgstr "Для просмотра доменов, работающих в разрешающем режиме, выполните команду <command>semodule -l | grep permissive</command> от имени пользователя root. Например:"
+
+#. Tag: para
+#, no-c-format
+msgid "If you no longer want a domain to be permissive, run the <command>semanage permissive -d <replaceable>domain</replaceable></command> command as the Linux root user. For example:"
+msgstr "Если вам больше не требуется существование разрешающего домена, выполните команду <command>semanage permissive -d <replaceable>domain</replaceable></command> от имени пользователя root. Например:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
+msgstr "<command>/usr/sbin/semanage permissive -d httpd_t</command>"
+
+#. Tag: title
+#, no-c-format
+msgid "Denials for Permissive Domains"
+msgstr "Блокировки для Разрешающих доменов"
+
+#. Tag: para
+#, no-c-format
+msgid "The <computeroutput>SYSCALL</computeroutput> message is different for permissive domains. The following is an example AVC denial (and the associated system call) from the Apache HTTP Server:"
+msgstr "Сообщение <computeroutput>SYSCALL</computeroutput> отличается для разрешающих доменов. Ниже показан пример блокировки AVC (и соответствующего системного вызова) от Apache HTTP Server:"
+
+#. Tag: para
+#, no-c-format
+msgid "By default, the <computeroutput>httpd_t</computeroutput> domain is not permissive, and as such, the action is denied, and the <computeroutput>SYSCALL</computeroutput> message contains <computeroutput>success=no</computeroutput>. The following is an example AVC denial for the same situation, except the <command>semanage permissive -a httpd_t</command> command has been run to make the <computeroutput>httpd_t</computeroutput> domain permissive:"
+msgstr "По умолчанию, домен <computeroutput>httpd_t</computeroutput> не разрешающий и, как следствие, действие блокируется и сообщение <computeroutput>SYSCALL</computeroutput> содержит <computeroutput>success=no</computeroutput>. Ниже показан пример блокировки AVC для такой же ситуации, за исключением выполненной команды <command>semanage permissive -a httpd_t</command> для запуска домена <computeroutput>httpd_t</computeroutput> в разрешающем режиме:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this case, although an AVC denial was logged, access was not denied, as shown by <computeroutput>success=yes</computeroutput> in the <computeroutput>SYSCALL</computeroutput> message."
+msgstr "В этом случае, несмотря на то, что блокировка AVC записана, доступ не блокирован, как показано в сообщении <computeroutput>SYSCALL</computeroutput> <computeroutput>success=yes</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24537.html\">\"Permissive Domains\"</ulink> blog entry for further information about permissive domains."
+msgstr "Дополнительная информация в блоге Dan Walsh <ulink url=\"http://danwalsh.livejournal.com/24537.html\">\"Permissive Domains\"</ulink> о разрешающих доменах."
+
+#. Tag: title
+#, no-c-format
+msgid "Searching For and Viewing Denials"
+msgstr "Поиск и просмотр блокировок"
+
+#. Tag: para
+#, no-c-format
+msgid "This section assumes the <package>setroubleshoot</package>, <package>setroubleshoot-server</package>, <package>dbus</package> and <package>audit</package> packages are installed, and that the <systemitem class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</systemitem>, and <systemitem class=\"daemon\">setroubleshootd</systemitem> daemons are running. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used\" /> for information about starting these daemons. A number of tools are available for searching for and viewing SELinux denials, such as <command>ausearch</command>, <command>aureport</command>, and <command>sealert</command>."
+msgstr "В этом разделе предполагается, что пакеты <package>setroubleshoot</package>, <package>setroubleshoot-server</package>, <package>dbus</package> и <package>audit</package> установлены, и демоны  <systemitem class=\"daemon\">auditd</systemitem>, <systemitem class=\"daemon\">rsyslogd</systemitem> и <systemitem class=\"daemon\">setroubleshootd</systemitem> запущены. В соответствии с разделом <xref linkend=\"sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used\" /> об информации о запуске этих демонов. Часть этих утилит используется для поиска и просмотра блокировок SELinux, такие как <command>ausearch</command>, <command>aureport</command> и <command>sealert</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "ausearch"
+msgstr "ausearch"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>audit</package> package provides <command>ausearch</command>. From the"
+msgstr "Пакет <package>audit</package> предоставляет <command>ausearch</command>. Из"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>ausearch</command> is a tool that can query the audit daemon logs based for events based on different search criteria\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora&nbsp;&PRODVER;. </para> </footnote>. The <command>ausearch</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user:"
+msgstr "страницы руководства : \"<command>ausearch</command> - это инструмент который запрашивает логи демона аудита, построенных на событиях, основанных на различных критериях поиска\"<footnote> <para> Из <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> страницы руководства, поставляемой с пакетом <package>audit</package> в Fedora&nbsp;&PRODVER;. </para> </footnote>. Инструмент <command>ausearch</command> запрашивает <filename>/var/log/audit/audit.log</filename> и, как следствие, должен быть запущен от имени пользователя root:"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Searching For"
+msgstr "Поиск"
+
+#. Tag: segtitle
+#, no-c-format
+msgid "Command"
+msgstr "Команда"
+
+#. Tag: seg
+#, no-c-format
+msgid "all denials"
+msgstr "все блокировки"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc</command>"
+msgstr "<command>/sbin/ausearch -m avc</command>"
+
+#. Tag: seg
+#, no-c-format
+msgid "denials for that today"
+msgstr "блокировки за сегодняшний день"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -ts today</command>"
+msgstr "<command>/sbin/ausearch -m avc -ts today</command>"
+
+#. Tag: seg
+#, no-c-format
+msgid "denials from the last 10 minutes"
+msgstr "блокировки за последние 10 минут"
+
+#. Tag: seg
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -ts recent</command>"
+msgstr "<command>/sbin/ausearch -m avc -ts recent</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "To search for SELinux denials for a particular service, use the <option>-c <replaceable>comm-name</replaceable></option> option, where <replaceable>comm-name</replaceable> \"is the executable’s name\"<footnote> <para> From the <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora&nbsp;&PRODVER;. </para> </footnote>, for example, <systemitem class=\"daemon\">httpd</systemitem> for the Apache HTTP Server, and <systemitem class=\"daemon\">smbd</systemitem> for Samba:"
+msgstr "Для поиска блокировок SELinux для определенной службы, используется опция <option>-c <replaceable>comm-name</replaceable></option>, где <replaceable>comm-name</replaceable> \"исполняемое имя файла\"<footnote> <para> из страницы руководства <citerefentry><refentrytitle>ausearch</refentrytitle><manvolnum>8</manvolnum></citerefentry>, поставляемой с пакетом <package>audit</package> в Fedora&nbsp;&PRODVER;. </para> </footnote>, например, <systemitem class=\"daemon\">httpd</systemitem> для Apache HTTP Server и <systemitem class=\"daemon\">smbd</systemitem> для Samba:"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -c httpd</command>"
+msgstr "<command>/sbin/ausearch -m avc -c httpd</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "<command>/sbin/ausearch -m avc -c smbd</command>"
+msgstr "<command>/sbin/ausearch -m avc -c smbd</command>"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to the"
+msgstr "В соответствии со"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>ausearch</command> options."
+msgstr "страницей руководства <command>ausearch</command>."
+
+#. Tag: title
+#, no-c-format
+msgid "aureport"
+msgstr "aureport"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>audit</package> package provides <command>aureport</command>. From the"
+msgstr "Пакет <package>audit</package> предоставляет <command>aureport</command>. Из"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>aureport</command> is a tool that produces summary reports of the audit system logs\"<footnote> <para> From the <citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum></citerefentry> manual page, as shipped with the <package>audit</package> package in Fedora&nbsp;&PRODVER;. </para> </footnote>. The <command>aureport</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user. To view a list of SELinux denials and how often each one occurred, run the <command>aureport -a</command> command. The following is example output that includes two denials:"
+msgstr "страницы руководства : \"<command>aureport</command> - это утилита, формирующая отчеты системных журналов аудита\"<footnote> <para> Из страницы руководства <citerefentry><refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum></citerefentry>, поставляемой с пакетом <package>audit</package> в Fedora&nbsp;&PRODVER;. </para> </footnote>. Утилита <command>aureport</command> запрашивает <filename>/var/log/audit/audit.log</filename>, а также должны быть запущена от имени пользователя root. Для просмотра списка блокировок SELinux, а также как часто каждая из них возникает, выполните команду <command>aureport -a</command>. Ð’ следующем примере, показан вывод с двумя блокировкамÐ
 ¸:"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>aureport</command> options."
+msgstr "страница руководства <command>aureport</command> с дополнительными опциями."
+
+#. Tag: title
+#, no-c-format
+msgid "sealert"
+msgstr "sealert"
+
+#. Tag: para
+#, no-c-format
+msgid "The <package>setroubleshoot-server</package> package provides <command>sealert</command>, which reads denial messages translated by <package>setroubleshoot-server</package>. Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. The following is an example denial from <filename>messages</filename>:"
+msgstr "Пакет <package>setroubleshoot-server</package> предоставляет <command>sealert</command>, которая читает сообщения о блокировках, транслированные <package>setroubleshoot-server</package>. Блокировкам назначаются ID, как показано в <filename>/var/log/messages</filename>. Ниже показан пример блокировки из <filename>messages</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, the denial ID is <computeroutput>84e0b04d-d0ad-4347-8317-22e74f6cd020</computeroutput>. The <option>-l</option> option takes an ID as an argument. Running the <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> command presents a detailed analysis of why SELinux denied access, and a possible solution for allowing access."
+msgstr "В этом примере, ID блокировки <computeroutput>84e0b04d-d0ad-4347-8317-22e74f6cd020</computeroutput>. Опция <option>-l</option> берет ID в качестве аргумента. Запуск команды <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> покажет детальный анализ причины, почему SELinux блокировал доступ и возможное решение предоставления доступа."
+
+#. Tag: para
+#, no-c-format
+msgid "If you are running the X Window System, have the <package>setroubleshoot</package> and <package>setroubleshoot-server</package> packages installed, and the <systemitem class=\"daemon\">setroubleshootd</systemitem>, <systemitem class=\"daemon\">dbus</systemitem> and <systemitem class=\"daemon\">auditd</systemitem> daemons are running, a warning is displayed when access is denied by SELinux. Clicking on 'Show' launches the <command>sealert</command> GUI, and displays denials in HTML output:"
+msgstr "Если запущена X Window System, и установлены пакеты <package>setroubleshoot</package> и <package>setroubleshoot-server</package>, а также демоны <systemitem class=\"daemon\">setroubleshootd</systemitem>, <systemitem class=\"daemon\">dbus</systemitem> и <systemitem class=\"daemon\">auditd</systemitem> запущены, то при блокировке доступа SELinux будет показано предупреждение. Нажмите 'Show', это запустит GUI <command>sealert</command> и покажет блокировку в HTML формате:"
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>sealert -b</command> command to launch the <command>sealert</command> GUI."
+msgstr "Выполните команду <command>sealert -b</command> для запуска GUI <command>sealert</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>sealert -l \\*</command> command to view a detailed analysis of all denials."
+msgstr "Выполните команду <command>sealert -l \\*</command> для просмотра детального анализа всех блокировок."
+
+#. Tag: para
+#, no-c-format
+msgid "As the Linux root user, run the <command>sealert -a /var/log/audit/audit.log -H &gt; audit.html</command> command to create a HTML version of the <command>sealert</command> analysis, as seen with the <command>sealert</command> GUI."
+msgstr "От имени пользователя root, выполните команду <command>sealert -a /var/log/audit/audit.log -H &gt; audit.html</command> для создания HTML версии анализа <command>sealert</command>, как показано в GUI <command>sealert</command>."
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page for further <command>sealert</command> options."
+msgstr "страница руководства <command>sealert</command> с дополнительными опциями."
+
+#. Tag: title
+#, no-c-format
+msgid "Raw Audit Messages"
+msgstr "Необработанные сообщения аудита"
+
+#. Tag: para
+#, no-c-format
+msgid "Raw audit messages are logged to <filename>/var/log/audit/audit.log</filename>. The following is an example AVC denial (and the associated system call) that occurred when the Apache HTTP Server (running in the <computeroutput>httpd_t</computeroutput> domain) attempted to access the <filename>/var/www/html/file1</filename> file (labeled with the <computeroutput>samba_share_t</computeroutput> type):"
+msgstr "Необработанные сообщения аудита записываются в <filename>/var/log/audit/audit.log</filename>. Ниже показан пример блокировки AVC (и связанный с этим системный вызов), которые появляются, когда Apache HTTP Server (запущенный в домене <computeroutput>httpd_t</computeroutput>) запрашивает доступ к файлу <filename>/var/www/html/file1</filename> (маркированный типом <computeroutput>samba_share_t</computeroutput>):"
+
+#. Tag: term
+#, no-c-format
+msgid "<replaceable>{ getattr }</replaceable>"
+msgstr "<replaceable>{ getattr }</replaceable>"
+
+#. Tag: para
+#, no-c-format
+msgid "The item in braces indicates the permission that was denied. <computeroutput>getattr</computeroutput> indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include <computeroutput>getattr</computeroutput>, <computeroutput>read</computeroutput>, and <computeroutput>write</computeroutput>."
+msgstr "Элемент в скобках показывает информацию о том, что доступ был блокирован. <computeroutput>getattr</computeroutput> показывает информацию о том, что процесс-источник пытался прочесть информацию о статусе файла. Это происходит перед чтением файла. Это действие было блокировано, так как файл, к которому запрашивался доступ, был промаркирован неправильной меткой. Обычно разрешения на просмотр включают: <computeroutput>getattr</computeroutput>, <computeroutput>read</computeroutput> и <computeroutput>write</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "comm=\"<replaceable>httpd</replaceable>\""
+msgstr "comm=\"<replaceable>httpd</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The executable that launched the process. The full path of the executable is found in the <computeroutput>exe=</computeroutput> section of the system call (<computeroutput>SYSCALL</computeroutput>) message, which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+msgstr "Исполняемый файл, который запускает процесс. Полный путь к исполняемому файлу находится в разделе <computeroutput>exe=</computeroutput> сообщения системного вызова (<computeroutput>SYSCALL</computeroutput>), который в этом случае <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "path=\"<replaceable>/var/www/html/file1</replaceable>\""
+msgstr "path=\"<replaceable>/var/www/html/file1</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The path to the object (target) the process attempted to access."
+msgstr "Путь к объекту (target) процесс запрашивающий доступ."
+
+#. Tag: term
+#, no-c-format
+msgid "scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
+msgstr "scontext=\"<replaceable>unconfined_u:system_r:httpd_t:s0</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the <computeroutput>httpd_t</computeroutput> domain."
+msgstr "контекст SELinux процесса, который выполняет блокированное действие. В данном случае, это контекст SELinux процесса Apache HTTP Server, запущенный в домене <computeroutput>httpd_t</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "tcontext=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>\""
+msgstr "context=\"<replaceable>unconfined_u:object_r:samba_share_t:s0</replaceable>\""
+
+#. Tag: para
+#, no-c-format
+msgid "The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of <filename>file1</filename>. Note: the <computeroutput>samba_share_t</computeroutput> type is not accessible to processes running in the <computeroutput>httpd_t</computeroutput> domain."
+msgstr "Контекст SELinux объекта (цели, target) процесса, запрашивающего доступ. В данном случае - это контекст SELinux файла <filename>file1</filename>. Примечание: тип <computeroutput>samba_share_t</computeroutput> не доступен процессам, запущенным в <computeroutput>httpd_t</computeroutput> домене."
+
+#. Tag: para
+#, no-c-format
+msgid "In certain situations, the <computeroutput>tcontext</computeroutput> may match the <computeroutput>scontext</computeroutput>, for example, when a process attempts to execute a system service that will change characteristics of that running process, such as the user ID. Also, the <computeroutput>tcontext</computeroutput> may match the <computeroutput>scontext</computeroutput> when a process tries to use more resources (such as memory) than normal limits allow, resulting in a security check to see if that process is allowed to break those limits."
+msgstr "В определенных ситуациях, <computeroutput>tcontext</computeroutput> может совпадать с <computeroutput>scontext</computeroutput>, например, если процесс пытается выполнить системную службу, которая изменяет характеристики этого, запущенного процесса, такого как ID пользователя. Также <computeroutput>tcontext</computeroutput> может совпадать с <computeroutput>scontext</computeroutput>, когда процесс пытается использовать больше ресурсов (например, памяти) чем позволяет лимит, что приводит к проверке безопасности, может ли такой процесс преодолеть данное ограничение."
+
+#. Tag: para
+#, no-c-format
+msgid "From the system call (<computeroutput>SYSCALL</computeroutput>) message, two items are of interest:"
+msgstr "Из сообщения системного вызова (<computeroutput>SYSCALL</computeroutput>), интересны два пункта:"
+
+#. Tag: para
+#, no-c-format
+msgid "<computeroutput>success=<replaceable>no</replaceable></computeroutput>: indicates whether the denial (AVC) was enforced or not. <computeroutput>success=no</computeroutput> indicates the system call was not successful (SELinux denied access). <computeroutput>success=yes</computeroutput> indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as <computeroutput>initrc_t</computeroutput> and <computeroutput>kernel_t</computeroutput>."
+msgstr "<computeroutput>success=<replaceable>no</replaceable></computeroutput>: показывает была ли блокировка (AVC) принудительна или нет. <computeroutput>success=no</computeroutput> показывает, что системный вызов не был выполнен успешно (SELinux блокировал доступ). <computeroutput>success=yes</computeroutput> показывает, что системный вызов был выполнен успешно - такое событие можно увидеть для разрешающих доменов или неограниченных доменов, таких как <computeroutput>initrc_t</computeroutput> и <computeroutput>kernel_t</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</computeroutput>: the full path to the executable that launched the process, which in this case, is <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+msgstr "<computeroutput>exe=\"<replaceable>/usr/sbin/httpd</replaceable>\"</computeroutput>: полный путь к исполняемому файлу, который запускает процесс, который в данном случае <computeroutput>exe=\"/usr/sbin/httpd\"</computeroutput>."
+
+#. Tag: para
+#, no-c-format
+msgid "An incorrect file type is a common cause for SELinux denying access. To start troubleshooting, compare the source context (<computeroutput>scontext</computeroutput>) with the target context (<computeroutput>tcontext</computeroutput>). Should the process (<computeroutput>scontext</computeroutput>) be accessing such an object (<computeroutput>tcontext</computeroutput>)? For example, the Apache HTTP Server (<computeroutput>httpd_t</computeroutput>) should only be accessing types specified in the"
+msgstr "Некорректный тип файла - это основная причина, для блокировок доступа SELinux. Для начала анализа и устранения проблем, сравните исходных контекст (<computeroutput>scontext</computeroutput>) с целевым контекстом (<computeroutput>tcontext</computeroutput>). Должен ли процесс (<computeroutput>scontext</computeroutput>) получать доступ к объекту (<computeroutput>tcontext</computeroutput>)? Например, Apache HTTP Server (<computeroutput>httpd_t</computeroutput>) должен получать доступ только к файлам указанным в"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page, such as <computeroutput>httpd_sys_content_t</computeroutput>, <computeroutput>public_content_t</computeroutput>, and so on, unless configured otherwise."
+msgstr "странице руководства, таким как <computeroutput>httpd_sys_content_t</computeroutput>, <computeroutput>public_content_t</computeroutput> и так далее, если не сконфигурировано иное."
+
+#. Tag: title
+#, no-c-format
+msgid "sealert Messages"
+msgstr "Сообщения sealert"
+
+#. Tag: para
+#, no-c-format
+msgid "Denials are assigned IDs, as seen in <filename>/var/log/messages</filename>. The following is an example AVC denial (logged to <filename>messages</filename>) that occurred when the Apache HTTP Server (running in the <computeroutput>httpd_t</computeroutput> domain) attempted to access the <filename>/var/www/html/file1</filename> file (labeled with the <computeroutput>samba_share_t</computeroutput> type):"
+msgstr "Блокировкам присваиваются ID, как видно в <filename>/var/log/messages</filename>. Ниже показан пример блокировки AVC (журналированной в <filename>messages</filename>), которая возникает когда Apache HTTP Server (запущенный в домене <computeroutput>httpd_t</computeroutput>) пытается получить доступ к файлу <filename>/var/www/html/file1</filename> (маркированный типом <computeroutput>samba_share_t</computeroutput>):"
+
+#. Tag: para
+#, no-c-format
+msgid "As suggested, run the <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> command to view the complete message. This command only works on the local machine, and presents the same information as the <command>sealert</command> GUI:"
+msgstr "Подразумевается, что выполнение команды <command>sealert -l 84e0b04d-d0ad-4347-8317-22e74f6cd020</command> покажет сообщение целиком. Эта команда работает только на локальной машине и показывает аналогичную информацию с <command>sealert</command> GUI:"
+
+#. Tag: term
+#, no-c-format
+msgid "Summary"
+msgstr "Краткая сводка"
+
+#. Tag: para
+#, no-c-format
+msgid "A brief summary of the denied action. This is the same as the denial in <filename>/var/log/messages</filename>. In this example, the <systemitem class=\"daemon\">httpd</systemitem> process was denied access to a file (<filename>file1</filename>), which is labeled with the <computeroutput>samba_share_t</computeroutput> type."
+msgstr "Краткая сводка действия блокировки. Это та же самая блокировка, что и в <filename>/var/log/messages</filename>. В этом примере процесс <systemitem class=\"daemon\">httpd</systemitem> блокирует доступ к файлу (<filename>file1</filename>), который помечен типом <computeroutput>samba_share_t</computeroutput>."
+
+#. Tag: term
+#, no-c-format
+msgid "Detailed Description"
+msgstr "Детальное описание"
+
+#. Tag: para
+#, no-c-format
+msgid "A more verbose description. In this example, <filename>file1</filename> is labeled with the <computeroutput>samba_share_t</computeroutput> type. This type is used for files and directories that you want to export via Samba. The description suggests changing the type to a type that can be accessed by the Apache HTTP Server and Samba, if such access is desired."
+msgstr "Более полное описание. В этом примере <filename>file1</filename> помечен типом <computeroutput>samba_share_t</computeroutput>. Этот тип используется для файлов и каталогов, которые необходимо экспортировать через Samba. Описание подразумевает изменение типа на тип, который может быть доступен для Apache HTTP Server и Samba, если доступ блокируется."
+
+#. Tag: term
+#, no-c-format
+msgid "Allowing Access"
+msgstr "Предоставление доступа"
+
+#. Tag: para
+#, no-c-format
+msgid "A suggestion for how to allow access. This may be relabeling files, turning a Boolean on, or making a local policy module. In this case, the suggestion is to label the file with a type accessible to both the Apache HTTP Server and Samba."
+msgstr "Предположения как можно разрешить доступ. Это можно сделать с помощью перемаркировки файлов, включения Булевых переменных или создания локального модуля политики. В данном случае предполагается изменения типа файла, на тип доступный Apache HTTP Server и Samba."
+
+#. Tag: term
+#, no-c-format
+msgid "Fix Command"
+msgstr "Команда исправления"
+
+#. Tag: para
+#, no-c-format
+msgid "A suggested command to allow access and resolve the denial. In this example, it gives the command to change the <filename>file1</filename> type to <computeroutput>public_content_t</computeroutput>, which is accessible to the Apache HTTP Server and Samba."
+msgstr "Предполагаемая команда для предоставления доступ и разрешения блокировки. В данном примере, даётся команда, изменяющая тип <filename>file1</filename> на <computeroutput>public_content_t</computeroutput>, который доступен Apache HTTP Server и Samba."
+
+#. Tag: term
+#, no-c-format
+msgid "Additional Information"
+msgstr "Дополнительная информация"
+
+#. Tag: para
+#, no-c-format
+msgid "Information that is useful in bug reports, such as the policy package name and version (<computeroutput>selinux-policy-3.5.13-11.fc12</computeroutput>), but may not help towards solving why the denial occurred."
+msgstr "Информация полезная в отчетах об ошибках, таких как такая как имя пакета политики и версия (<computeroutput>selinux-policy-3.5.13-11.fc12</computeroutput>), но не помогающая в направлении решения и устранения причин появления блокировки."
+
+#. Tag: para
+#, no-c-format
+msgid "The raw audit messages from <filename>/var/log/audit/audit.log</filename> that are associated with the denial. Refer to <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> for information about each item in the AVC denial."
+msgstr "Необработанные сообщения аудита из <filename>/var/log/audit/audit.log</filename>, связанные с блокировкой. Дополнительная информация <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages\" /> о каждом пункте в блокировке AVC."
+
+#. Tag: title
+#, no-c-format
+msgid "Allowing Access: audit2allow"
+msgstr "Предоставление доступа: audit2allow"
+
+#. Tag: para
+#, no-c-format
+msgid "Do not use the example in this section in production. It is used only to demonstrate the use of <command>audit2allow</command>."
+msgstr "Не используйте данный пример в продуктивной системе. Он используется только для демонстрации использования <command>audit2allow</command>."
+
+#. Tag: para
+#, no-c-format
+msgid "From the"
+msgstr "Из"
+
+#. Tag: refentrytitle
+#, no-c-format
+msgid "audit2allow"
+msgstr "audit2allow"
+
+#. Tag: citerefentry
+#, no-c-format
+msgid "manual page: \"<command>audit2allow</command> - generate SELinux policy allow rules from logs of denied operations\"<footnote> <para> From the <citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page, as shipped with the <package>policycoreutils</package> package in Fedora&nbsp;&PRODVER;. </para> </footnote>. After analyzing denials as per <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, and if no label changes or Booleans allowed access, use <command>audit2allow</command> to create a local policy module. After access is denied by SELinux, running the <command>audit2allow</command> command presents Type Enforcement rules that allow the previously denied access."
+msgstr "страницы руководства: \"<command>audit2allow</command> - генерирует разрешающие правила политики SELinux из логов (журналаов) блокированных операций\"<footnote> <para> Из страницы руководства <citerefentry><refentrytitle>audit2allow</refentrytitle><manvolnum>1</manvolnum></citerefentry>, поставляемой с пакетом <package>policycoreutils</package> в Fedora&nbsp;&PRODVER;. </para> </footnote>. После анализа блокировок как в <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />, и если метки не изменяются и нет Булевых переменных, предоставляющих доступ, используйте команду <command>audit2allow</command> для создания локального модуля политики. После того, как
  SELinux блокировал доступ, выполнение команды <command>audit2allow</command> покажет правила Type Enforcement, которые разрешат блокированный доступ."
+
+#. Tag: para
+#, no-c-format
+msgid "The following example demonstrates using <command>audit2allow</command> to create a policy module:"
+msgstr "В следующем примере демонстрируется использование <command>audit2allow</command> для создания модуля политики:"
+
+#. Tag: para
+#, no-c-format
+msgid "A denial and the associated system call are logged to <filename>/var/log/audit/audit.log</filename>:"
+msgstr "Блокировка и соответствующий системный вызов записаны в <filename>/var/log/audit/audit.log</filename>:"
+
+#. Tag: para
+#, no-c-format
+msgid "In this example, <application>certwatch</application> (<computeroutput>comm=\"certwatch\"</computeroutput>) was denied write access (<computeroutput>{ write }</computeroutput>) to a directory labeled with the <computeroutput>var_t</computeroutput> type (<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). Analyze the denial as per <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />. If no label changes or Booleans allowed access, use <command>audit2allow</command> to create a local policy module."
+msgstr "В этом примере <application>certwatch</application> (<computeroutput>comm=\"certwatch\"</computeroutput>) блокирует доступ на запись (<computeroutput>{ write }</computeroutput>) в каталог помеченный типом <computeroutput>var_t</computeroutput> (<computeroutput>tcontext=system_u:object_r:var_t:s0</computeroutput>). Проанализируйте блокировку в соответствии с <xref linkend=\"sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages\" />. Если метки не изменены или нет Булевых переменных, предоставляющих доступ, используйте <command>audit2allow</command> для создания локальной политики."
+
+#. Tag: para
+#, no-c-format
+msgid "With a denial logged, such as the <computeroutput>certwatch</computeroutput> denial in step 1, run the <command>audit2allow -w -a</command> command to produce a human-readable description of why access was denied. The <option>-a</option> option causes all audit logs to be read. The <option>-w</option> option produces the human-readable description. The <command>audit2allow</command> tool accesses <filename>/var/log/audit/audit.log</filename>, and as such, must be run as the Linux root user:"
+msgstr "С записанным сообщением о блокировке, таким как <computeroutput>certwatch</computeroutput> в шаге 1, выполните команду <command>audit2allow -w -a</command> для создания удобно-читаемого описания, почему доступ был блокирован. Опция <option>-a</option> является основанием для чтения всех логов. Опция <option>-w</option> создает удобо-читаемое описание. Инструмент <command>audit2allow</command> запрашивает <filename>/var/log/audit/audit.log</filename> и, как следствие, должен быть запущен от имени пользователя root."
+
+#. Tag: para
+#, no-c-format
+msgid "As shown, access was denied due to a missing Type Enforcement rule."
+msgstr "Как показано, доступ блокирован, в соответствии с отсутствием правила Type Enforcement."
+
+#. Tag: para
+#, no-c-format
+msgid "Run the <command>audit2allow -a</command> command to view the Type Enforcement rule that allows the denied access:"
+msgstr "Выполните команду <command>audit2allow -a</command> для просмотра правил Type Enforcement. которые разрешают блокированный доступ:"
+
+#. Tag: para
+#, no-c-format
+msgid "Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>. For Fedora, create bugs against the <computeroutput>Fedora</computeroutput> product, and select the <computeroutput>selinux-policy</computeroutput> component. Include the output of the <command>audit2allow -w -a</command> and <command>audit2allow -a</command> commands in such bug reports."
+msgstr "Недостающие правила Type Enforcement обычно вызвана ошибками в политике SELinux, и о них необходимо сообщать в <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>. Для Fedora, создайте bug напротив продукта <computeroutput>Fedora</computeroutput> и выберите компоненту <computeroutput>selinux-policy</computeroutput>. Включите вывод команд <command>audit2allow -w -a</command> и <command>audit2allow -a</command> в bug report."
+
+#. Tag: para
+#, no-c-format
+msgid "To use the rule displayed by <command>audit2allow -a</command>, run the <command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command> command as the Linux root user to create custom module. The <option>-M</option> option creates a Type Enforcement file (<filename>.te</filename>) with the name specified with <option>-M</option>, in your current working directory:"
+msgstr "Для использования правила, показанного <command>audit2allow -a</command>, выполните команду <command>audit2allow -a -M <replaceable>mycertwatch</replaceable></command>  от имени пользователя root для создания индивидуального модуля. Опция <option>-M</option> создает файл Type Enforcement (<filename>.te</filename>), с именем. указанным опцией <option>-M</option>, в текущем каталоге:"
+
+#. Tag: para
+#, no-c-format
+msgid "Also, <command>audit2allow</command> compiles the Type Enforcement rule into a policy package (<filename>.pp</filename>). To install the module, run the <command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></command> command as the Linux root user."
+msgstr "Также, <command>audit2allow</command> компилирует правила Type Enforcement в пакет политики (<filename>.pp</filename>). Для инсталляции модуля, используется команда <command>/usr/sbin/semodule -i <replaceable>mycertwatch.pp</replaceable></command> от имени пользователя root."
+
+#. Tag: para
+#, no-c-format
+msgid "Modules created with <command>audit2allow</command> may allow more access than required. It is recommended that policy created with <command>audit2allow</command> be posted to an SELinux list, such as <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>, for review. If you believe their is a bug in policy, create a bug in <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>."
+msgstr "Модули, созданные с помощью <command>audit2allow</command> могут предоставить больше доступа чем требуется. Рекомендуется публиковать политики, созданные с помощью <command>audit2allow</command> в лист SELinux. такой как <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\">fedora-selinux-list</ulink>, для обзора. Если Вы считаете, что это ошибка (bug) в политике, создайте bug в <ulink url=\"https://bugzilla.redhat.com/\">Red Hat Bugzilla</ulink>."
+
+#. Tag: para
+#, no-c-format
+msgid "If you have multiple denials from multiple processes, but only want to create a custom policy for a single process, use the <command>grep</command> command to narrow down the input for <command>audit2allow</command>. The following example demonstrates using <command>grep</command> to only send denials related to <command>certwatch</command> through <command>audit2allow</command>:"
+msgstr "Если есть множество блокировок от множества процессов, но необходимо создать индивидуальную политику для одного определенного процесса, используйте команду <command>grep</command> для сужения ввода команде <command>audit2allow</command>. В следующем примере демонстрируется использование команды <command>grep</command> для отправки блокировок. относящихся только к <command>certwatch</command> для <command>audit2allow</command>:"
+
+#. Tag: para
+#, no-c-format
+msgid "Refer to Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> blog entry for further information about using <command>audit2allow</command> to build policy modules."
+msgstr "В соответствии с блогом Dan Walsh's <ulink url=\"http://danwalsh.livejournal.com/24750.html\">\"Using audit2allow to build policy modules. Revisited.\"</ulink> дополнительная информация об использовании <command>audit2allow</command> для создания модулей политик."
+