selinux-faq/FC-5/po it.po, NONE, 1.1 pt.po, NONE, 1.1 selinux-faq.pot, NONE, 1.1
Paul W. Frields (pfrields)
fedora-docs-commits at redhat.com
Fri Nov 16 13:05:09 UTC 2007
Author: pfrields
Update of /cvs/docs/selinux-faq/FC-5/po
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12637/FC-5/po
Added Files:
it.po pt.po selinux-faq.pot
Log Message:
Add FC-5 and F-8 branches. For right now, these are duplicate copies of one another. The F-8 branch is where new work is to be done to bring the FAQ up to date with better and more content.
--- NEW FILE it.po ---
# translation of it.po to Italiano
# Francesco Tombolini <tombo at adamantio.net>, 2006, 2007.
msgid ""
msgstr ""
"Project-Id-Version: it\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2007-04-25 15:57+0200\n"
"PO-Revision-Date: 2007-04-25 16:05+0200\n"
"Last-Translator: Francesco Tombolini <tombo at adamantio.net>\n"
"Language-Team: Italiano <fedora-trans-it at redhat.com>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: KBabel 1.11.4\n"
#: en_US/doc-entities.xml:6(title)
msgid "These entities are absolutely essential in this document."
msgstr "Queste entità sono assolutamente essenziali in questo documento."
#: en_US/doc-entities.xml:9(comment)
msgid "A per-document entity"
msgstr "Un entità per-documento"
#: en_US/doc-entities.xml:10(wordasword)
msgid "Per-document Entity"
msgstr "Entità per-documento"
#: en_US/doc-entities.xml:14(comment)
msgid "Should match the name of this module"
msgstr "Dovrebbe avere lo stesso nome di questo modulo"
#: en_US/doc-entities.xml:15(text)
msgid "selinux-faq"
msgstr "selinux-faq"
#: en_US/doc-entities.xml:18(comment)
msgid "Last revision number, bump when you change the doc"
msgstr "Ultimo numero di revisione, conta quando cambi documento"
#: en_US/doc-entities.xml:19(text)
msgid "1.5.2"
msgstr "1.5.2"
#: en_US/doc-entities.xml:22(comment)
msgid "Last revision date, format YYYY-MM-DD"
msgstr "Data di ultima revisione, formato YYYY-MM-DD"
#: en_US/doc-entities.xml:23(text)
msgid "2006-03-24"
msgstr "2006-03-24"
#: en_US/doc-entities.xml:26(comment)
msgid "Same for every document"
msgstr "Lo stesso per ogni documento"
#: en_US/doc-entities.xml:27(text)
msgid ""
"<use entity=\"DOCNAME\"/>-<use entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE"
"\"/>)"
msgstr ""
"<use entity=\"DOCNAME\"/>-<use entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE"
"\"/>)"
#: en_US/doc-entities.xml:32(comment)
msgid ""
"Useful pre-filled bug report; note the changes of the ampersand and "
"percentage characters to their entity equivalent."
msgstr ""
"Utile segnalazione d'errore precompilata; nota i cambiamenti degli ampersand "
"e dei caratteri di percentuale alle loro equivalenti entità ."
#: en_US/doc-entities.xml:35(text)
msgid ""
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&"
"percnt;20Documentation&op_sys=Linux&target_milestone=---&"
"amp;bug_status=NEW&version=devel&component=selinux-faq&"
"amp;rep_platform=All&priority=normal&bug_severity=normal&"
"amp;assigned_to=kwade%40redhat.com&cc=&"
"estimated_time_presets=0.0&estimated_time=0.0&"
"bug_file_loc=http%3A%2F%2Ffedora.redhat."
"com%2Fdocs%2Fselinux-faq%2F&"
"short_desc=CHANGE%20TO%20A%20REAL&"
"percnt;20SUMMARY&comment=%5B%5B&"
"percnt;20Description%20of%20change&"
"percnt;2FFAQ%20addition.%20%20If&"
"percnt;20a%20change%2C%20include&"
"percnt;20the%20original%0D%0Atext&"
"percnt;20first%2C%20then%20the&"
"percnt;20changed%20text%3A%20&"
"percnt;5D%5D%0D%0A%0D&"
"percnt;0A%0D%0A%5B%5B&"
"percnt;20Version-Release%20of%20FAQ%20&"
"percnt;0D%0A%28found%20on%0D&"
"percnt;0Ahttp%3A%2F%2Ffedora.redhat.com&"
"percnt;2Fdocs%2Fselinux-faq-fc5%2Fln-legalnotice."
"html%29%3A%0D%0A&"
"percnt;0D%0A%20for%20example&"
"percnt;3A%20%20selinux-faq-1.5.2%20&"
"percnt;282006-03-20%29&status_whiteboard=&"
"keywords=&issuetrackers=&dependson=&blocked=&"
"ext_bz_id=0&ext_bz_bug_id=&data=&description=&"
"amp;contenttypemethod=list&contenttypeselection=text&"
"percnt;2Fplain&contenttypeentry=&maketemplate=Remember&"
"percnt;20values%20as%20bookmarkable&"
"percnt;20template&form_name=enter_bug"
msgstr ""
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&"
"percnt;20Documentation&op_sys=Linux&target_milestone=---&"
"amp;bug_status=NEW&version=devel&component=selinux-faq&"
"amp;rep_platform=All&priority=normal&bug_severity=normal&"
"amp;assigned_to=kwade%40redhat.com&cc=&"
"estimated_time_presets=0.0&estimated_time=0.0&"
"bug_file_loc=http%3A%2F%2Ffedora.redhat."
"com%2Fdocs%2Fselinux-faq%2F&"
"short_desc=CHANGE%20TO%20A%20REAL&"
"percnt;20SUMMARY&comment=%5B%5B&"
"percnt;20Description%20of%20change&"
"percnt;2FFAQ%20addition.%20%20If&"
"percnt;20a%20change%2C%20include&"
"percnt;20the%20original%0D%0Atext&"
"percnt;20first%2C%20then%20the&"
"percnt;20changed%20text%3A%20&"
"percnt;5D%5D%0D%0A%0D&"
"percnt;0A%0D%0A%5B%5B&"
"percnt;20Version-Release%20of%20FAQ%20&"
"percnt;0D%0A%28found%20on%0D&"
"percnt;0Ahttp%3A%2F%2Ffedora.redhat.com&"
"percnt;2Fdocs%2Fselinux-faq-fc5%2Fln-legalnotice."
"html%29%3A%0D%0A&"
"percnt;0D%0A%20for%20example&"
"percnt;3A%20%20selinux-faq-1.5.2%20&"
"percnt;282006-03-20%29&status_whiteboard=&"
"keywords=&issuetrackers=&dependson=&blocked=&"
"ext_bz_id=0&ext_bz_bug_id=&data=&description=&"
"amp;contenttypemethod=list&contenttypeselection=text&"
"percnt;2Fplain&contenttypeentry=&maketemplate=Remember&"
"percnt;20values%20as%20bookmarkable&"
"percnt;20template&form_name=enter_bug"
#: en_US/doc-entities.xml:38(comment)
msgid "Locally useful."
msgstr "Utili localmente."
#: en_US/doc-entities.xml:39(text)
msgid "Apache HTTP"
msgstr "Apache HTTP"
#: en_US/doc-entities.xml:42(comment)
msgid ""
"Set value to your choice, usefule for when guide version is out of sync with "
"FC release, use instead of FEDVER or FEDTESTVER"
msgstr ""
"Impostate un valore a vostra scelta, utile per quando la versione della "
"guida è fuori sync con la versione di FC, usatelo invece di FEDVER o "
"FEDTESTVER"
#: en_US/doc-entities.xml:45(text)
msgid "5"
msgstr "5"
#: en_US/rpm-info.xml:14(rights)
msgid "OPL"
msgstr "OPL"
#: en_US/rpm-info.xml:15(version)
msgid "1.0"
msgstr "1.0"
#: en_US/rpm-info.xml:18(year)
msgid "2004"
msgstr "2004"
#: en_US/rpm-info.xml:19(year)
msgid "2005"
msgstr "2005"
#: en_US/rpm-info.xml:20(holder)
msgid "Red Hat, Inc."
msgstr "Red Hat, Inc."
#: en_US/rpm-info.xml:21(holder)
msgid "Karsten Wade"
msgstr "Karsten Wade"
#: en_US/rpm-info.xml:24(year)
msgid "2006"
msgstr "2006"
#: en_US/rpm-info.xml:25(holder)
msgid "Chad Sellers"
msgstr "Chad Sellers"
#: en_US/rpm-info.xml:26(holder)
msgid "Paul W. Frields"
msgstr "Paul W. Frields"
#: en_US/rpm-info.xml:28(title)
msgid "Fedora Core 5 SELinux FAQ"
[...3432 lines suppressed...]
msgid ""
"Integrating Flexible Support for Security Policies into the Linux Operating "
"System - technical report (describes original design and implementation, "
"including summary tables of classes, permissions, and what permission checks "
"are applied to what system calls. It is not entirely up-to-date with current "
"implementation, but a good resource nonetheless). <ulink url=\"http://www."
"nsa.gov/selinux/papers/slinux-abs.cfm\"/>"
msgstr ""
"Rapporto tecnico - Integrating Flexible Support for Security Policies into "
"the Linux Operating System (descrive implementazioni e disegni originali, "
"includendo tavole sinottiche delle classi, permessi, e quali controlli di "
"permessi sono applicati a quali chiamate di sistema. Non è completamente "
"aggiornato con l'implementazione attuale, ma ciò nonostante è una buona "
"risorsa). <ulink url=\"http://www.nsa.gov/selinux/papers/slinux-abs.cfm\"/>"
#: en_US/selinux-faq.xml:2608(title)
msgid "Deploying SELinux"
msgstr "Implementare SELinux"
#: en_US/selinux-faq.xml:2611(para)
msgid "What file systems can I use for SELinux?"
msgstr "Che file systems posso usare per SELinux?"
#: en_US/selinux-faq.xml:2616(para)
msgid ""
"The file system must support <computeroutput>xattr</computeroutput> labels "
"in the right <parameter>security.*</parameter> namespace. In addition to "
"ext2/ext3, XFS has recently added support for the necessary labels."
msgstr ""
"Il file system deve supportare le etichette <computeroutput>xattr</"
"computeroutput> nel giusto <parameter>security.*</parameter>namespace. Oltre "
"a ext2/ext3, XFS ha recentemente aggiunto il supporto per le necessarie "
"etichette."
#: en_US/selinux-faq.xml:2623(para)
msgid ""
"Note that XFS SELinux support is broken in upstream kernel 2.6.14 and "
"2.6.15, but fixed (worked around) in 2.6.16. Your kernel must include this "
"fix if you choose to use XFS with SELinux."
msgstr ""
"Notate che il supporto SELinux XFS non funziona nella serie di kernel 2.6.14 "
"e 2.6.15, ma è stato fissato (aggirando il problema) nella 2.6.16. Il vostro "
"kernel dovrà includere questo fix se scegliete di usare XFS con SELinux."
#: en_US/selinux-faq.xml:2633(para)
msgid "How does SELinux impact system performance?"
msgstr "Come impatta SELinux sulle prestazioni del sistema?"
#: en_US/selinux-faq.xml:2638(para)
msgid ""
"This is a variable that is hard to measure, and is heavily dependent on the "
"tuning and usage of the system running SELinux. When performance was last "
"measured, the impact was around 7% for completely untuned code. Subsequent "
"changes in system components such as networking are likely to have made that "
"worse in some cases. SELinux performance tuning continues to be a priority "
"of the development team."
msgstr ""
"Questa è una variabile difficile da quantificare, ed è pesantemente "
"dipendente dall'affinamento e dall'uso del sistema su cui SELinux sta "
"girando. L'ultima volta che le prestazioni sono state misurate, l'incidenza "
"era circa del 7% per codice completamente non affinato. Successivi "
"cambiamenti in componenti di sistema come il networking sembrerebbero aver "
"peggiorato la situazione in alcuni casi. Le prestazioni e l'affinamento di "
"SELinux continuano ad essere una priorità del team di sviluppo."
#: en_US/selinux-faq.xml:2651(para)
msgid ""
"What types of deployments, applications, and systems should I leverage "
"SELinux in?"
msgstr ""
"Di che tipo di implementazioni, applicazioni, sistemi, etc. dovrò tener "
"conto per l'uso con SELinux?"
#: en_US/selinux-faq.xml:2657(para)
msgid ""
"Initially, SELinux has been used on Internet facing servers that are "
"performing a few specialized functions, where it is critical to keep "
"extremely tight security. Administrators typically strip such a box of all "
"extra software and services, and run a very small, focused set of services. "
"A Web server or mail server is a good example."
msgstr ""
"Inizialmente, SELinux è stato usato per i server affacciati su Internet che "
"eseguono poche, funzioni specializzate, dove è critico mantenere una "
"sicurezza estremamente stretta. Gli amministratori tipicamente privano una "
"simile macchina di software e servizi extra, ed eseguono un gruppo di "
"servizi ristrettissimo, molto mirato. Un Web server o un mail server sono un "
"buon esempio."
#: en_US/selinux-faq.xml:2665(para)
msgid ""
"In these edge servers, you can lock down the policy very tightly. The "
"smaller number of interactions with other components makes such a lock down "
"easier. A dedicated system running a specialized third-party application "
"would also be a good candidate."
msgstr ""
"In questi servers di nicchia, potrete bloccare la policy molto strettamente. "
"Questo sarà facilitato dal piccolo numero di interazioni con gli altri "
"componenti. Una macchina dedicata che esegue un applicazione specialistica "
"di terze parti sarà anch'essa un buon candidato."
#: en_US/selinux-faq.xml:2671(para)
msgid ""
"In the future, SELinux will be targeted at all environments. In order to "
"achieve this goal, the community and <firstterm>independent software "
"vendors</firstterm> (<abbrev>ISV</abbrev>s) must work with the SELinux "
"developers to produce the necessary policy. So far, a very restrictive "
"<firstterm>strict policy</firstterm> has been written, as well as a "
"<firstterm>targeted policy</firstterm> that focuses on specific, vulnerable "
"daemons."
msgstr ""
"In futuro, SELinux sarà indirizzato a tutti gli ambienti. Per poter "
"raggiungere questo obbiettivo, la comunità e gli <firstterm>independent "
"software vendors</firstterm> (<abbrev>ISV</abbrev>s) dovranno lavorare con "
"gli sviluppatori SELinux per produrre le policy necessarie. Finora, sono "
"state scritte una <firstterm>strict policy</firstterm> molto restrittiva, ed "
"una <firstterm>targeted policy</firstterm> che mira a specifici, demoni "
"vulnerabili."
#: en_US/selinux-faq.xml:2681(para)
msgid ""
"For more information about these policies, refer to <xref linkend=\"qa-"
"whatis-policy\"/> and <xref linkend=\"qa-whatis-targeted-policy\"/>."
msgstr ""
"Per maggiori informazioni su queste policies, fate riferimento a <xref "
"linkend=\"qa-whatis-policy\"/> e <xref linkend=\"qa-whatis-targeted-policy\"/"
">."
#: en_US/selinux-faq.xml:2689(para)
msgid "How does SELinux affect third-party applications?"
msgstr "Che effetto ha SELinux sulle applicazioni di terze parti?"
#: en_US/selinux-faq.xml:2694(para)
msgid ""
"One goal of implementing a targeted SELinux policy in Fedora is to allow "
"third-party applications to work without modification. The targeted policy "
"is transparent to those unaddressed applications, and it falls back on "
"standard Linux DAC security. These applications, however, will not be "
"running in an extra-secure manner. You or another provider must write policy "
"to protect these applications with MAC security."
msgstr ""
"Uno degli scopi nell'implementare la policy targeted di SELinux in Fedora "
"è quello di permettere ad applicazioni di terze parti di funzionare "
"senza modifiche. La targeted policy è trasparente a quelle applicazioni che "
"non prova a controllare e che ricadono nella sicurezza di Linux standard. "
"Queste applicazioni non saranno eseguite in maniera extra sicura. Voi od un "
"altro fornitore dovrete scrivere una policy per proteggere queste "
"applicazioni con la sicurezza MAC."
#: en_US/selinux-faq.xml:2703(para)
msgid ""
"It is impossible to predict how every third-party application might behave "
"with SELinux, even running the targeted policy. You may be able to fix "
"issues that arise by changing the policy. You may find that SELinux exposes "
"previously unknown security issues with your application. You may have to "
"modify the application to work under SELinux."
msgstr ""
"E' impossibile predire come si comporterebbe ogni applicazione di terze "
"parti con SELinux, anche eseguendo la targeted policy. Potreste essere in "
"grado di risolvere problematiche insorgenti cambiando la policy. Potreste "
"trovare che SELinux esponga problemi di sicurezza sconosciuti con la vostra "
"applicazione. Potreste dover modificare l'applicazione per farla funzionare "
"sotto SELinux."
#: en_US/selinux-faq.xml:2711(para)
msgid ""
"Note that with the addition of <xref linkend=\"faq-entry-whatare-policy-"
"modules\"/>, it is now possible for third-party developers to include policy "
"modules with their application. If you are a third-party developer or a "
"package-maintainer, please consider including a policy module in your "
"package. This will allow you to secure the behavior of your application with "
"the power of SELinux for any user installing your package."
msgstr ""
"Notate che con l'aggiunta di <xref linkend=\"faq-entry-whatare-policy-modules"
"\"/>, è ora possibile per gli sviluppatori di terze parti includere moduli "
"di policy con le loro applicazioni. Se siete uno sviluppatore si terze pari "
"o un manutentore di pacchetti, siete pregati di considerare l'inclusione di "
"un modulo di policy nel vostro pacchetto. Questo permetterà di rendere "
"sicuro il comportamento della vostra applicazione con la potenza di SELinux "
"per ogni utente che installa il pacchetto."
#: en_US/selinux-faq.xml:2721(para)
msgid ""
"One important value that Fedora testers and users bring to the community is "
"extensive testing of third-party applications. With that in mind, please "
"bring your experiences to the appropriate mailing list, such as the fedora-"
"selinux list, for discussion. For more information about that list, refer to "
"<ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list/\"/>."
msgstr ""
"Un valore importante che i testers e gli utenti di Fedora portano alla "
"comunità è l'estensivo prova di applicativi di terze parti. Con questo a "
"mente, siete pregati di portare le vostre esperienze alla mailing list "
"appropriata per le discussioni, come la mailing list fedora-selinux. Per "
"maggiori informazioni su questa lista, fate riferimento a <ulink url="
"\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list/\"/>."
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
#: en_US/selinux-faq.xml:0(None)
msgid "translator-credits"
msgstr "Francesco Tombolini <tombo at adamantio.net> 2005, 2006"
--- NEW FILE pt.po ---
msgid ""
msgstr ""
"Project-Id-Version: selinux-faq\n"
"Report-Msgid-Bugs-To: http://bugs.kde.org\n"
"POT-Creation-Date: 2007-04-25 12:22+0100\n"
"PO-Revision-Date: 2007-04-25 12:22+0100\n"
"Last-Translator: José Nuno Coelho Pires <jncp at netcabo.pt>\n"
"Language-Team: pt <kde-i18n-pt at kde.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-POFile-SpellExtra: chkpwdexect kickstart selinux forbidden mnt sestatus\n"
"X-POFile-SpellExtra: autorelabel authdomtranschkpasswd init alZ include\n"
"X-POFile-SpellExtra: permissive faq semanage execstack MAC drwx ze\n"
"X-POFile-SpellExtra: fetchmail DTE syslog avc drwxrwxr append TTY mls LSM\n"
"X-POFile-SpellExtra: fingerd unconfinedt semodulepackage xfs MD rlogin\n"
"X-POFile-SpellExtra: dictd Technology etcruntimet named proftpd bashrc\n"
"X-POFile-SpellExtra: comsat dhcpd tmpt tools httpd setfiles noarch usr XFS\n"
"X-POFile-SpellExtra: type hidddisabletrans portmap pppd must this cat\n"
"X-POFile-SpellExtra: publichtml expanding share updfstab execheap\n"
"X-POFile-SpellExtra: checkmodule id write restorecon telnetd config HTTPD\n"
"X-POFile-SpellExtra: ioctl fc fd postfix allowexec logwatch so allow order\n"
"X-POFile-SpellExtra: disabled including tftpd cupsdrwetct varlogt kdeinit\n"
"X-POFile-SpellExtra: systemu systemr ls setgid policy policycoreutils non\n"
"X-POFile-SpellExtra: pptp docs devel pegasus hald unixchkpwd\n"
"X-POFile-SpellExtra: httpdsysscriptrwt selinuxtype shadowt dbus vpnc nfs\n"
"X-POFile-SpellExtra: chcon rpmsave bluez cupsdetct muddleftpd enforcment\n"
"X-POFile-SpellExtra: Type rw namedt SELinux reboot rf allowexecstack eZ rm\n"
"X-POFile-SpellExtra: newly ntp enforcing procmail ktalkd Security dmesgt\n"
"X-POFile-SpellExtra: created messages yum star Nest ISV cups gpm\n"
"X-POFile-SpellExtra: management service automount mkdir system\n"
"X-POFile-SpellExtra: NetworkManager Bugzilla nfst translation swapfilet\n"
"X-POFile-SpellExtra: require userhomedirt headers homedirtemplate privoxy\n"
"X-POFile-SpellExtra: and Compiling xattr any lilo canna Name passwd\n"
"X-POFile-SpellExtra: Generating sysadmr MLS Login class filecontext doc\n"
"X-POFile-SpellExtra: ext lpd MCS Fedora ftpd dontaudit stunnel httpdw\n"
"X-POFile-SpellExtra: httpdt staff semodule IMPORTANT aMakefile Translation\n"
"X-POFile-SpellExtra: saslauthd Level spamd cpio restart sysconfig vsftpd\n"
"X-POFile-SpellExtra: SystemLow cpucontrol default amanda auditd fixfiles\n"
"X-POFile-SpellExtra: ifconfig RBAC FDP innd setsebool relabelfrom getattr\n"
"X-POFile-SpellExtra: userr targeted lvm modprobe packages relabel sysstat\n"
"X-POFile-SpellExtra: context outrosficheirosdokde login filecontexts load\n"
"X-POFile-SpellExtra: cd diff cp ps pp mailman sysadm radvd\n"
"X-POFile-SpellExtra: sepolgenboolsarray dbskkd httpportt SELInux kerberos\n"
"X-POFile-SpellExtra: modulesconft reveram maner contexts mount execmem\n"
"X-POFile-SpellExtra: RHEL avahi manually squid kdecache SystemHigh conf in\n"
"X-POFile-SpellExtra: You Tresys userhomet if fedora NSA make newrole pam\n"
"X-POFile-SpellExtra: wrappers testrelshlibt userdomain openldap user\n"
"X-POFile-SpellExtra: enableaudit cscriptexect httpdusercontentt audit\n"
"X-POFile-SpellExtra: dmesg authchkpwd systemchkpwdt libsepol In the howl\n"
"X-POFile-SpellExtra: restore boolean tcp sources auditctl mysql touch yet\n"
"X-POFile-SpellExtra: daemondomain lokkit crack dovecot xend emergency read\n"
"X-POFile-SpellExtra: homehp radiusd using shadow mod dhcpc server\n"
"X-POFile-SpellExtra: setenforce Warning vsftpdt security accton grub\n"
"X-POFile-SpellExtra: executenotrans home homedirs SELINUXTYPE tmp rsync\n"
"X-POFile-SpellExtra: denied update dmidecode uucpd post src sbin\n"
"X-POFile-SpellExtra: postgresql SELINUX Enhanced meudominiot AVC ppd\n"
"X-POFile-SpellExtra: webalizer snmpd maillog cyrus Enforcement log support\n"
"X-POFile-SpellExtra: strict User cpuspeed var useradd reset Firewall\n"
"X-POFile-SpellExtra: libsemanage nscd relabelto securitylevel arpwatch\n"
"X-POFile-SpellExtra: hotplug check avcs DAC when you policygentool\n"
"X-POFile-SpellExtra: refpolicy users genhomedircon pamunix longer execmod\n"
"X-POFile-SpellExtra: required into conteudo port useru umutilizador\n"
"X-POFile-SpellExtra: objectr exustar omeuservidor minhaaplicacao HOME\n"
"X-POFile-SpellExtra: Frields textrelshlibt attribute DD AAAA FC fcontext\n"
"X-POFile-SpellExtra: loaded Sellers Hat Red binary loading from Creating\n"
"X-POFile-SpellExtra: Permission prot Payroll writing libraries version\n"
"X-POFile-SpellExtra: Karsten shared FEDTESTVER foo lnkfile httpdcontent\n"
"X-POFile-SpellExtra: bin customizabletypes csellers createfileperms after\n"
"X-POFile-SpellExtra: cannot proveitos Wade outrsficheirosdokde pamselinux\n"
"X-POFile-SpellExtra: configuration segment checkpolicy Compliling\n"
"X-POFile-SpellExtra: FICHEIROMEMÓRIAVIRTUAL Chad MM smbdt baz FEDVER\n"
"X-POFile-SpellExtra: while policymodule reloc error createdirperms\n"
"X-POFile-SpellExtra: representation dir Inc comment targetmilestone redhat\n"
"X-POFile-SpellExtra: cc text dependson maketemplate Version extbzbugid\n"
"X-POFile-SpellExtra: contenttypemethod Atext keywords NEW\n"
"X-POFile-SpellExtra: contenttypeselection CHANGE blocked Description kwade\n"
"X-POFile-SpellExtra: addition opsys priority estimatedtime bugfileloc\n"
"X-POFile-SpellExtra: bugstatus template Ahttp Fdocs outrosficheiroskde\n"
"X-POFile-SpellExtra: statuswhiteboard then bookmarkable description\n"
"X-POFile-SpellExtra: repplatform Remember Documentation component FFAQ\n"
"X-POFile-SpellExtra: SUMMARY issuetrackers legalnotice extbzid values Fln\n"
"X-POFile-SpellExtra: Release amp Fplain bugseverity contenttypeentry\n"
"X-POFile-SpellExtra: change formname Fselinux on All of changed list\n"
"X-POFile-SpellExtra: estimatedtimepresets percnt shortdesc found enterbug\n"
"X-POFile-SpellExtra: first example If assignedto OPL bz BZ\n"
#: en_US/doc-entities.xml:6(title)
msgid "These entities are absolutely essential in this document."
msgstr "Estas entidades são absolutamente essenciais neste documento."
#: en_US/doc-entities.xml:9(comment)
msgid "A per-document entity"
msgstr "Uma entidade por documento"
#: en_US/doc-entities.xml:10(wordasword)
msgid "Per-document Entity"
msgstr "Entidade por Documento"
#: en_US/doc-entities.xml:14(comment)
msgid "Should match the name of this module"
msgstr "Deverá corresponder ao nome deste módulo"
#: en_US/doc-entities.xml:15(text)
msgid "selinux-faq"
msgstr "selinux-faq"
#: en_US/doc-entities.xml:18(comment)
msgid "Last revision number, bump when you change the doc"
msgstr "O número da última versão, incremente quando mudar o documento"
#: en_US/doc-entities.xml:19(text)
msgid "1.5.2"
msgstr "1.5.2"
#: en_US/doc-entities.xml:22(comment)
msgid "Last revision date, format YYYY-MM-DD"
msgstr "Data da última versão, no formato AAAA-MM-DD"
#: en_US/doc-entities.xml:23(text)
msgid "2006-03-24"
msgstr "2006-03-24"
#: en_US/doc-entities.xml:26(comment)
msgid "Same for every document"
msgstr "O mesmo para cada documento"
#: en_US/doc-entities.xml:27(text)
msgid ""
"<use entity=\"DOCNAME\"/>-<use entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE"
"\"/>)"
msgstr ""
"<use entity=\"DOCNAME\"/>-<use entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE"
"\"/>)"
#: en_US/doc-entities.xml:32(comment)
msgid ""
"Useful pre-filled bug report; note the changes of the ampersand and "
"percentage characters to their entity equivalent."
msgstr ""
"Um relatório de erros preenchido e útil; repare nas alterações dos E-"
"comerciais e nos caracteres de percentagens, no que respeita ao seu "
"equivalente como entidade."
#: en_US/doc-entities.xml:35(text)
msgid ""
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&"
"percnt;20Documentation&op_sys=Linux&target_milestone=---&"
"amp;bug_status=NEW&version=devel&component=selinux-faq&"
"amp;rep_platform=All&priority=normal&bug_severity=normal&"
"amp;assigned_to=kwade%40redhat.com&cc=&"
"estimated_time_presets=0.0&estimated_time=0.0&"
"bug_file_loc=http%3A%2F%2Ffedora.redhat."
"com%2Fdocs%2Fselinux-faq%2F&"
"short_desc=CHANGE%20TO%20A%20REAL&"
"percnt;20SUMMARY&comment=%5B%5B&"
"percnt;20Description%20of%20change&"
"percnt;2FFAQ%20addition.%20%20If&"
"percnt;20a%20change%2C%20include&"
"percnt;20the%20original%0D%0Atext&"
"percnt;20first%2C%20then%20the&"
"percnt;20changed%20text%3A%20&"
"percnt;5D%5D%0D%0A%0D&"
"percnt;0A%0D%0A%5B%5B&"
"percnt;20Version-Release%20of%20FAQ%20&"
"percnt;0D%0A%28found%20on%0D&"
"percnt;0Ahttp%3A%2F%2Ffedora.redhat.com&"
"percnt;2Fdocs%2Fselinux-faq-fc5%2Fln-legalnotice."
"html%29%3A%0D%0A&"
"percnt;0D%0A%20for%20example&"
"percnt;3A%20%20selinux-faq-1.5.2%20&"
"percnt;282006-03-20%29&status_whiteboard=&"
"keywords=&issuetrackers=&dependson=&blocked=&"
"ext_bz_id=0&ext_bz_bug_id=&data=&description=&"
"amp;contenttypemethod=list&contenttypeselection=text&"
"percnt;2Fplain&contenttypeentry=&maketemplate=Remember&"
"percnt;20values%20as%20bookmarkable&"
"percnt;20template&form_name=enter_bug"
msgstr ""
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&"
"percnt;20Documentation&op_sys=Linux&target_milestone=---&"
"amp;bug_status=NEW&version=devel&component=selinux-faq&"
"amp;rep_platform=All&priority=normal&bug_severity=normal&"
"amp;assigned_to=kwade%40redhat.com&cc=&"
"estimated_time_presets=0.0&estimated_time=0.0&"
"bug_file_loc=http%3A%2F%2Ffedora.redhat."
"com%2Fdocs%2Fselinux-faq%2F&"
"short_desc=CHANGE%20TO%20A%20REAL&"
"percnt;20SUMMARY&comment=%5B%5B&"
"percnt;20Description%20of%20change&"
"percnt;2FFAQ%20addition.%20%20If&"
"percnt;20a%20change%2C%20include&"
"percnt;20the%20original%0D%0Atext&"
"percnt;20first%2C%20then%20the&"
"percnt;20changed%20text%3A%20&"
"percnt;5D%5D%0D%0A%0D&"
"percnt;0A%0D%0A%5B%5B&"
"percnt;20Version-Release%20of%20FAQ%20&"
"percnt;0D%0A%28found%20on%0D&"
[...3736 lines suppressed...]
"por favor em incluir um módulo de polÃtica com o seu pacote. Isto permitir-"
"lhe-á manter seguro o comportamento da sua aplicação com o poder do "
"SELinux, para qualquer utilizador que instale o seu pacote."
#: en_US/selinux-faq.xml:2721(para)
msgid ""
"One important value that Fedora testers and users bring to the community is "
"extensive testing of third-party applications. With that in mind, please "
"bring your experiences to the appropriate mailing list, such as the fedora-"
"selinux list, for discussion. For more information about that list, refer to "
"<ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list/\"/>."
msgstr ""
"Um valor importante que os responsáveis dos testes e dos utilizadores do "
"Fedora trazem para a comunidade são os testes extensos às aplicações. Com "
"isso em mente, conte por favor as suas experiências na lista de correio "
"apropriada, como a lista 'fedora-selinux', para fins de discussão. Para mais "
"informações sobre essa lista, veja em <ulink url=\"http://www.redhat.com/"
"mailman/listinfo/fedora-selinux-list/\"/>."
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
#: en_US/selinux-faq.xml:0(None)
msgid "translator-credits"
msgstr "José Nuno Pires <jncp at netcabo.pt>, 2006."
#~ msgid ""
#~ "For changes or additions to the Fedora SELinux FAQ, use this <ulink url="
#~ "\"&BUG-URL;\">bugzilla template</ulink>, which pre-fills most of the bug "
#~ "report. Patches should be a <command>diff -u</command> against the XML, "
#~ "which is available from CVS (refer to <ulink url=\"http://fedora.redhat."
#~ "com/projects/docs/\"></ulink> for details on obtaining the fedora-docs/"
#~ "selinux-faq module from anonymous CVS; you can get just the "
#~ "<filename>fedora-docs/selinux-faq</filename> module if you don't want the "
#~ "entire <filename>fedora-docs</filename> tree.) Otherwise, plain text "
#~ "showing before and after is sufficient."
#~ msgstr ""
#~ "Para mais adições ou modificações na FAQ de SELinux do Fedora, use este "
#~ "<ulink url=\"&BUG-URL;\">modelo do Bugzilla</ulink>, que preenche "
#~ "previamente a maior parte do relatório de erros. As actualizações deverão "
#~ "ser um <command>diff -u</command> em relação ao XML, que está disponÃvel "
#~ "no CVS (veja em <ulink url=\"http://fedora.redhat.com/projects/docs/\"/> "
#~ "para mais detalhes de obtenção do módulo fedora-docs/selinux-faq do CVS "
#~ "anónimo; poderá obter apenas o módulo <filename>fedora-docs/selinux-faq</"
#~ "filename>, se não quiser a árvore completa do <filename>fedora-docs</"
#~ "filename>.) Caso contrário, será suficiente apenas uma visualização do "
#~ "texto antes e depois."
#~ msgid ""
#~ "<command>ls -alZ <replaceable>file.foo</replaceable> \n"
#~ "id -Z \n"
#~ "ps -eZ</command>"
#~ msgstr ""
#~ "<command>ls -alZ <replaceable>ficheiro.xpto</replaceable> \n"
#~ "id -Z \n"
#~ "ps -eZ</command>"
#~ msgid ""
#~ "<computeroutput>$ mkdir foo\n"
#~ "$ cd foo</computeroutput>"
#~ msgstr ""
#~ "<computeroutput>$ mkdir xpto\n"
#~ "$ cd xpto</computeroutput>"
#~ msgid ""
#~ "<command>policygentool <replaceable>mydaemon /usr/sbin/mydaemon</"
#~ "replaceable></command>"
#~ msgstr ""
#~ "<command>policygentool <replaceable>omeuservidor /usr/sbin/omeuservidor</"
#~ "replaceable></command>"
#~ msgid ""
#~ "<command>semodule -i <replaceable>mydaemon.pp</replaceable></command>\n"
#~ "<command>restorecon -v <replaceable>/usr/sbin/mydaemon</replaceable></"
#~ "command>"
#~ msgstr ""
#~ "<command>semodule -i <replaceable>omeuservidor.pp</replaceable></"
#~ "command>\n"
#~ "<command>restorecon -v <replaceable>/usr/sbin/omeuservidor</replaceable></"
#~ "command>"
#~ msgid ""
#~ "<command>setenforce 0</command>\n"
#~ "<command>service <replaceable>mydaemon</replaceable> restart</command>"
#~ msgstr ""
#~ "<command>setenforce 0</command>\n"
#~ "<command>service <replaceable>omeuservidor</replaceable> restart</command>"
#~ msgid "<command>sestatus -v</command>"
#~ msgstr "<command>sestatus -v</command>"
#~ msgid ""
#~ "<command>ls -Z /var/log/maillog</command>\n"
#~ "-rw------- root root system_u:object_r:var_log_t /var/log/"
#~ "maillog\n"
#~ "<command>cd /var/log\n"
#~ "star -xattr -H=exustar -c -f maillog.star ./maillog*</command>"
#~ msgstr ""
#~ "<command>ls -Z /var/log/maillog</command>\n"
#~ "-rw------- root root system_u:object_r:var_log_t /var/log/"
#~ "maillog\n"
#~ "<command>cd /var/log\n"
#~ "star -xattr -H=exustar -c -f maillog.star ./maillog*</command>"
#~ msgid ""
#~ "<userinput>ls -Z -d public_html/</userinput>\n"
#~ "<computeroutput>drwxrwxr-x auser auser user_u:object_r:"
#~ "user_home_t public_html</computeroutput>\n"
#~ "<userinput>chcon -R -t httpd_user_content_t public_html/\n"
#~ "ls -Z -d public_html/</userinput>\n"
#~ "<computeroutput>drwxrwxr-x auser auser user_u:object_r:"
#~ "httpd_user_content_t public_html/</computeroutput>\n"
#~ "<userinput>ls -Z public_html/</userinput>\n"
#~ "<computeroutput>-rw-rw-r-- auser auser user_u:object_r:"
#~ "httpd_user_content_t bar.html\n"
#~ "-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz."
#~ "html\n"
#~ "-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo."
#~ "html</computeroutput>"
#~ msgstr ""
#~ "<userinput>ls -Z -d public_html/</userinput>\n"
#~ "<computeroutput>drwxrwxr-x umutilizador umutilizador user_u:"
#~ "object_r:user_home_t public_html</computeroutput>\n"
#~ "<userinput>chcon -R -t httpd_user_content_t public_html/\n"
#~ "ls -Z -d public_html/</userinput>\n"
#~ "<computeroutput>drwxrwxr-x umutilizador umutilizador user_u:"
#~ "object_r:httpd_user_content_t public_html/</computeroutput>\n"
#~ "<userinput>ls -Z public_html/</userinput>\n"
#~ "<computeroutput>-rw-rw-r-- umutilizador umutilizador user_u:"
#~ "object_r:httpd_user_content_t bar.html\n"
#~ "-rw-rw-r-- umutilizador umutilizador user_u:object_r:"
#~ "httpd_user_content_t baz.html\n"
#~ "-rw-rw-r-- umutilizador umutilizador user_u:object_r:"
#~ "httpd_user_content_t foo.html</computeroutput>"
#~ msgid ""
#~ "<computeroutput># This file controls the state of SELinux on the system.\n"
#~ "# SELINUX= can take one of these three values:\n"
#~ "# enforcing - SELinux security policy is enforced.\n"
#~ "# permissive - SELinux prints warnings instead of enforcing.\n"
#~ "# disabled - No SELinux policy is loaded.</computeroutput>\n"
#~ "SELINUX=<userinput><replaceable>enforcing</replaceable></userinput>\n"
#~ "<computeroutput># SELINUXTYPE= type of policy in use. Possible values "
#~ "are:\n"
#~ "# targeted - Only targeted network daemons are protected.\n"
#~ "# strict - Full SELinux protection.</computeroutput>\n"
#~ "SELINUXTYPE=<userinput><replaceable>targeted</replaceable></userinput>"
#~ msgstr ""
#~ "<computeroutput># Este ficheiro controla o estado do SELinux no sistema.\n"
#~ "# SELINUX= poderá usar um destes três valores:\n"
#~ "# enforcing - a polÃtica de segurança do SELinux é aplicada.\n"
#~ "# permissive - o SELinux mostra mensagens em vez de aplicar a "
#~ "polÃtica.\n"
#~ "# disabled - não é carregada nenhuma polÃtica de SELinux.</"
#~ "computeroutput>\n"
#~ "SELINUX=<userinput><replaceable>enforcing</replaceable></userinput>\n"
#~ "<computeroutput># SELINUXTYPE= o tipo de polÃtica em uso. Os valores "
#~ "possÃveis são:\n"
#~ "# targeted - Só são protegidos certos servidores de rede "
#~ "predefinidos.\n"
#~ "# strict - Protecção completa com o SELinux.</computeroutput>\n"
#~ "SELINUXTYPE=<userinput><replaceable>targeted</replaceable></userinput>"
#~ msgid ""
#~ "<userinput>su - root\n"
#~ "id -Z</userinput>\n"
#~ "<computeroutput>root:system_r:unconfined_t</computeroutput>\n"
#~ "<userinput>useradd auser\n"
#~ "ls -Z /home</userinput>\n"
#~ "<computeroutput>drwx------ auser auser root:object_r:"
#~ "user_home_dir_t /home/auser</computeroutput>"
#~ msgstr ""
#~ "<userinput>su - root\n"
#~ "id -Z</userinput>\n"
#~ "<computeroutput>root:system_r:unconfined_t</computeroutput>\n"
#~ "<userinput>useradd umutilizador\n"
#~ "ls -Z /home</userinput>\n"
#~ "<computeroutput>drwx------ umutilizador umutilizador root:object_r:"
#~ "user_home_dir_t /home/umutilizador</computeroutput>"
#~ msgid "<command>snmpd -v | cat</command>"
#~ msgstr "<command>snmpd -v | cat</command>"
#~ msgid "<command>dmesg -n 1</command>"
#~ msgstr "<command>dmesg -n 1</command>"
#~ msgid ""
#~ "<command>rm -rf /var/tmp/kdecache-<replaceable><username></"
#~ "replaceable>\n"
#~ "rm -rf /var/tmp/<replaceable><other_kde_files></replaceable></"
#~ "command>"
#~ msgstr ""
#~ "<command>rm -rf /var/tmp/kdecache-<replaceable><utilizador></"
#~ "replaceable>\n"
#~ "rm -rf /var/tmp/<replaceable><outrs_ficheiros_do_kde></"
#~ "replaceable></command>"
#~ msgid ""
#~ "<command>chcon -t swapfile_t <replaceable>SWAPFILE</replaceable></command>"
#~ msgstr ""
#~ "<command>chcon -t swapfile_t <replaceable>FICHEIRO_MEMÓRIA_VIRTUAL</"
#~ "replaceable></command>"
--- NEW FILE selinux-faq.pot ---
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2006-08-05 18:47-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
"Language-Team: LANGUAGE <LL at li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#: en_US/doc-entities.xml:6(title)
msgid "These entities are absolutely essential in this document."
msgstr ""
#: en_US/doc-entities.xml:9(comment)
msgid "A per-document entity"
msgstr ""
#: en_US/doc-entities.xml:10(wordasword)
msgid "Per-document Entity"
msgstr ""
#: en_US/doc-entities.xml:14(comment)
msgid "Should match the name of this module"
msgstr ""
#: en_US/doc-entities.xml:15(text)
msgid "selinux-faq"
msgstr ""
#: en_US/doc-entities.xml:18(comment)
msgid "Last revision number, bump when you change the doc"
msgstr ""
#: en_US/doc-entities.xml:19(text)
msgid "1.5.2"
msgstr ""
#: en_US/doc-entities.xml:22(comment)
msgid "Last revision date, format YYYY-MM-DD"
msgstr ""
#: en_US/doc-entities.xml:23(text)
msgid "2006-03-24"
msgstr ""
#: en_US/doc-entities.xml:26(comment)
msgid "Same for every document"
msgstr ""
#: en_US/doc-entities.xml:27(text)
msgid "<use entity=\"DOCNAME\"/>-<use entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE\"/>)"
msgstr ""
#: en_US/doc-entities.xml:32(comment)
msgid "Useful pre-filled bug report; note the changes of the ampersand and percentage characters to their entity equivalent."
msgstr ""
#: en_US/doc-entities.xml:35(text)
msgid "https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora%20Documentation&op_sys=Linux&target_milestone=---&bug_status=NEW&version=devel&component=selinux-faq&rep_platform=All&priority=normal&bug_severity=normal&assigned_to=kwade%40redhat.com&cc=&estimated_time_presets=0.0&estimated_time=0.0&bug_file_loc=http%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq%2F&short_desc=CHANGE%20TO%20A%20REAL%20SUMMARY&comment=%5B%5B%20Description%20of%20change%2FFAQ%20addition.%20%20If%20a%20change%2C%20include%20the%20original%0D%0Atext&perc!
nt;20first%2C%20then%20the%20changed%20text%3A%20%5D%5D%0D%0A%0D%0A%0D%0A%5B%5B%20Version-Release%20of%20FAQ%20%0D%0A%28found%20on%0D%0Ahttp%3A%2F%2Ffedora.redhat.com%2Fdocs%2Fselinux-faq-fc5%2Fln-legalnotice.html%29%3A%0D%0A%0D%0A%20for%20example%3A%20%20selinux-faq-1.5.2%20%282006-03-20%29&status_whiteboard=&keywords=&issuetrackers=&dependson=&blocked=&ext_bz_id=0&ext_bz_bug_id=&data=&descripti!
on=&contenttypemethod=list&contenttypeselectio!
n=text
p;percnt;2Fplain&contenttypeentry=&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug"
msgstr ""
#: en_US/doc-entities.xml:38(comment)
msgid "Locally useful."
msgstr ""
#: en_US/doc-entities.xml:39(text)
msgid "Apache HTTP"
msgstr ""
#: en_US/doc-entities.xml:42(comment)
msgid "Set value to your choice, usefule for when guide version is out of sync with FC release, use instead of FEDVER or FEDTESTVER"
msgstr ""
#: en_US/doc-entities.xml:45(text)
msgid "5"
msgstr ""
#: en_US/rpm-info.xml:14(rights)
msgid "OPL"
msgstr ""
#: en_US/rpm-info.xml:15(version)
msgid "1.0"
msgstr ""
#: en_US/rpm-info.xml:18(year)
msgid "2004"
msgstr ""
#: en_US/rpm-info.xml:19(year)
msgid "2005"
msgstr ""
#: en_US/rpm-info.xml:20(holder)
msgid "Red Hat, Inc."
msgstr ""
#: en_US/rpm-info.xml:21(holder)
msgid "Karsten Wade"
msgstr ""
#: en_US/rpm-info.xml:24(year)
msgid "2006"
msgstr ""
#: en_US/rpm-info.xml:25(holder)
msgid "Chad Sellers"
msgstr ""
#: en_US/rpm-info.xml:26(holder)
msgid "Paul W. Frields"
msgstr ""
#: en_US/rpm-info.xml:28(title)
msgid "Fedora Core 5 SELinux FAQ"
msgstr ""
#: en_US/rpm-info.xml:29(desc)
msgid "Frequently asked questions about SELinux in Fedora Core 5"
msgstr ""
#: en_US/rpm-info.xml:33(details)
msgid "Fix for bz #18727, bz#139744, bz#144696, bz#147915, and bz#190181; other fixes, including from http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions"
msgstr ""
#: en_US/rpm-info.xml:39(details)
msgid "Fix for bz #188219; legal notice fix."
msgstr ""
#: en_US/rpm-info.xml:43(details)
msgid "Updated log file location for FC5 release, added targeted domains FAQ"
msgstr ""
#: en_US/rpm-info.xml:48(details)
msgid "Numerous content updates for FC5 release"
msgstr ""
#: en_US/rpm-info.xml:52(details)
msgid "Make admonition more easily maintainable"
msgstr ""
#: en_US/rpm-info.xml:56(details)
msgid "Style and readability editing; some element clarifications"
msgstr ""
#: en_US/rpm-info.xml:61(details)
msgid "First round of editing."
msgstr ""
#: en_US/selinux-faq.xml:16(fallback)
msgid "WHERE IS MY FDP-INFO, DUDE"
msgstr ""
#: en_US/selinux-faq.xml:20(title)
msgid "SELinux Notes and FAQ"
msgstr ""
#: en_US/selinux-faq.xml:21(para)
msgid "The information in this FAQ is valuable for those who are new to SELinux. It is also valuable if you are new to the latest SELinux implementation in Fedora Core, since some of the behavior may be different than you have experienced."
msgstr ""
#: en_US/selinux-faq.xml:28(title)
msgid "This FAQ is specific to Fedora Core 5"
msgstr ""
#: en_US/selinux-faq.xml:29(para)
msgid "If you are looking for the FAQ for other versions of Fedora Core, refer to <ulink url=\"http://fedora.redhat.com/docs/selinux-faq/\"/>."
msgstr ""
#: en_US/selinux-faq.xml:34(para)
msgid "For more information about how SELinux works, how to use SELinux for general and specific Linux distributions, and how to write policy, these resources are useful:"
msgstr ""
#: en_US/selinux-faq.xml:40(title)
msgid "External Link List"
msgstr ""
#: en_US/selinux-faq.xml:42(para)
msgid "NSA SELinux main website —<ulink url=\"http://www.nsa.gov/selinux/\"/>"
msgstr ""
#: en_US/selinux-faq.xml:48(para)
msgid "NSA SELinux FAQ —<ulink url=\"http://www.nsa.gov/selinux/info/faq.cfm\"/>"
msgstr ""
#: en_US/selinux-faq.xml:54(para)
msgid "SELinux community page —<ulink url=\"http://selinux.sourceforge.net\"/>"
msgstr ""
#: en_US/selinux-faq.xml:60(para)
msgid "UnOfficial FAQ —<ulink url=\"http://www.crypt.gen.nz/selinux/faq.html\"/>"
msgstr ""
#: en_US/selinux-faq.xml:66(para)
msgid "Writing traditional SE Linux policy HOWTO —<ulink url=\"https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266\"/>"
msgstr ""
#: en_US/selinux-faq.xml:73(para)
msgid "Reference Policy (the new policy found in Fedora Core 5) —<ulink url=\"http://serefpolicy.sourceforge.net/\"/>"
msgstr ""
#: en_US/selinux-faq.xml:80(para)
msgid "SELinux policy development training courses —<ulink url=\"http://tresys.com/services/training.shtml\"/> and <ulink url=\"https://www.redhat.com/training/security/courses/rhs429.html\"/>"
msgstr ""
#: en_US/selinux-faq.xml:89(para)
msgid "Getting Started with SE Linux HOWTO: the new SE Linux (Debian) —<ulink url=\"https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266\"/>"
msgstr ""
#: en_US/selinux-faq.xml:96(para)
msgid "List of SELinux object classes and permissions —<ulink url=\"http://tresys.com/selinux/obj_perms_help.shtml\"/>"
msgstr ""
#: en_US/selinux-faq.xml:103(para)
msgid "On IRC — irc.freenode.net, #fedora-selinux"
msgstr ""
#: en_US/selinux-faq.xml:108(para)
msgid "Fedora mailing list —<ulink url=\"mailto:fedora-selinux-list at redhat.com\"/>; read the archives or subscribe at <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\"/>"
msgstr ""
#: en_US/selinux-faq.xml:117(title)
msgid "Making changes/additions to the Fedora SELinux FAQ"
msgstr ""
#: en_US/selinux-faq.xml:118(para)
msgid "This FAQ is available at <ulink url=\"http://fedora.redhat.com/docs/selinux-faq-fc5/\">http://fedora.redhat.com/docs/selinux-faq-fc5/</ulink>."
msgstr ""
#: en_US/selinux-faq.xml:122(para)
msgid "For changes or additions to the Fedora SELinux FAQ, use this <ulink url=\"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora20Documentation&op_sys=Linux&target_milestone=---&bug_status=NEW&version=devel&component=selinux-faq&rep_platform=All&priority=normal&bug_severity=normal&assigned_to=kwade40redhat.com&cc=&estimated_time_presets=0.0&estimated_time=0.0&bug_file_loc=http3A2F2Ffedora.redhat.com2Fdocs2Fselinux-faq2F&short_desc=CHANGE20TO20A20REAL20SUMMARY&comment=5B5B20Description20of20change2FFAQ20addition.2020If20a20change2C20include20the20original0D0Atext20first2C20then20the20changed20text3A205D5D0D0A0D0A0D0A5B5B20Version-Release20of20FAQ200D0A28found20on0D0Ahttp3A2F2Ffedora.redhat.com2Fdocs2Fselinux-faq-fc52Fln-legalnotice.html293A0D0A0D0A20for20example3A2020selinux-faq-1.5.220282006-03-2029&status_whiteboard=&keywords=&issuetrackers=&dependson=&blocked=&ext_bz_id=0&!
amp;ext_bz_bug_id=&data=&description=&contenttypemethod=list&contenttypeselection=text2Fplain&contenttypeentry=&maketemplate=Remember20values20as20bookmarkable20template&form_name=enter_bug\">bugzilla template</ulink>, which pre-fills most of the bug report. Patches should be a <command>diff -u</command> against the XML, which is available from CVS (refer to <ulink url=\"http://fedora.redhat.com/projects/docs/\"/> for details on obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can get just the <filename>fedora-docs/selinux-faq</filename> module if you don't want the entire <filename>fedora-docs</filename> tree.) Otherwise, plain text showing before and after is sufficient."
msgstr ""
#: en_US/selinux-faq.xml:133(para)
msgid "For a list of all bug reports filed against this FAQ, refer to <ulink url=\"https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757\">https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=118757</ulink>."
msgstr ""
#: en_US/selinux-faq.xml:142(title)
msgid "Understanding SELinux"
msgstr ""
#: en_US/selinux-faq.xml:145(para)
msgid "What is SELinux?"
msgstr ""
#: en_US/selinux-faq.xml:150(para)
msgid "SELinux (<firstterm>Security-Enhanced Linux</firstterm>) in Fedora Core is an implementation of <firstterm>mandatory access control</firstterm> in the Linux kernel using the <firstterm>Linux Security Modules</firstterm> (<abbrev>LSM</abbrev>) framework. Standard Linux security is a <firstterm>discretionary access control</firstterm> model."
msgstr ""
#: en_US/selinux-faq.xml:160(term)
msgid "Discretionary access control (<abbrev>DAC</abbrev>)"
msgstr ""
#: en_US/selinux-faq.xml:162(para)
msgid "DAC is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own."
msgstr ""
#: en_US/selinux-faq.xml:171(term)
msgid "Mandatory access control (<abbrev>MAC</abbrev>)"
msgstr ""
#: en_US/selinux-faq.xml:173(para)
msgid "MAC provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user."
msgstr ""
#: en_US/selinux-faq.xml:183(para)
msgid "In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is <command>setuid</command> or <command>setgid</command> to root, the process can have root level control over the entire file system."
msgstr ""
#: en_US/selinux-faq.xml:194(para)
msgid "A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity."
msgstr ""
#: en_US/selinux-faq.xml:202(para)
msgid "MAC under SELinux allows you to provide granular permissions for all <firstterm>subjects</firstterm> (users, programs, processes) and <firstterm>objects</firstterm> (files, devices). In practice, think of subjects as processes, and objects as the target of a process operation. You can safely grant a process only the permissions it needs to perform its function, and no more."
msgstr ""
#: en_US/selinux-faq.xml:210(para)
msgid "The SELinux implementation uses <firstterm>role-based access control</firstterm> (<abbrev>RBAC</abbrev>), which provides abstracted user-level control based on roles, and <firstterm><trademark class=\"registered\">Type Enforcement</trademark></firstterm> (<abbrev>TE</abbrev>). TE uses a table, or <firstterm>matrix</firstterm> to handle access controls, enforcing policy rules based on the types of processes and objects. Process types are called <firstterm>domains</firstterm>, and a cross-reference on the matrix of the process's domain and the object's type defines their interaction. This system provides extremely granular control for actors in a Linux system."
msgstr ""
#: en_US/selinux-faq.xml:228(para)
msgid "What is SELinux policy?"
msgstr ""
#: en_US/selinux-faq.xml:233(para)
msgid "The SELinux policy describes the access permissions for all subjects and objects, that is, the entire system of users, programs, and processes and the files and devices they act upon. Fedora Core policy is delivered in a package, with an associated source package. Current shipping policy packages are:"
msgstr ""
#: en_US/selinux-faq.xml:242(replaceable) en_US/selinux-faq.xml:260(replaceable) en_US/selinux-faq.xml:261(replaceable) en_US/selinux-faq.xml:262(replaceable)
msgid "<version>"
msgstr ""
#: en_US/selinux-faq.xml:242(filename)
msgid "selinux-policy-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:244(para)
msgid "This package is common to all types of policy and contains config files/man pages. This includes the interface files for the development environment. This replaces the -sources package from the past. This package contains the interface files used in Reference Policy along with a Makefile and a small tool called <command>policygentool</command> used to generate a policy template file. The interface files reside in <filename>/usr/share/selinux/devel/include</filename> directory. If you want to see all of the policy files used to build the Reference Policy you need to install the src.rpm."
msgstr ""
#: en_US/selinux-faq.xml:260(filename)
msgid "selinux-policy-strict-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:261(filename)
msgid "selinux-policy-targeted-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:262(filename)
msgid "selinux-policy-mls-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:264(para)
msgid "Installed policy and supporting files are found in subdirectories of <filename>/etc/selinux/<replaceable>policyname</replaceable>/</filename>. The subdirectories include"
msgstr ""
#: en_US/selinux-faq.xml:272(para)
msgid "<filename>policy</filename> - binary policy that is loaded into the kernel"
msgstr ""
#: en_US/selinux-faq.xml:278(para)
msgid "<filename>contexts</filename> - context/labeling policy used for making labeling decisions by programs like restorecon and fixfiles"
msgstr ""
#: en_US/selinux-faq.xml:285(para)
msgid "<filename>modules</filename> - store for policy modules that are combined to make the binary kernel policy. Note that this should note be edited by hand, as it is a private resource of libsemanage."
msgstr ""
#: en_US/selinux-faq.xml:296(para) en_US/selinux-faq.xml:351(para) en_US/selinux-faq.xml:498(para) en_US/selinux-faq.xml:521(para)
msgid "More information on the different policies available in SELinux can be found at <ulink url=\"http://fedoraproject.org/wiki/SELinux/Policies\"/>."
msgstr ""
#: en_US/selinux-faq.xml:308(para)
msgid "What is the SELinux targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:313(para)
msgid "When SELinux was initially introduced in Fedora Core, it enforced the NSA strict policy. For testing purposes, this effectively exposed hundreds of problems in the strict policy. In addition, it demonstrated that applying a single strict policy to the many environments of Fedora users was not feasible. To manage a single strict policy for anything other than default installation would require local expertise."
msgstr ""
#: en_US/selinux-faq.xml:322(para)
msgid "At this point, the SELinux developers reviewed their choices, and decided to try a different strategy. They decided to create a <firstterm>targeted</firstterm> policy that locks down specific daemons, especially those vulnerable to attack or which could devastate a system if broken or compromised. The rest of the system runs exactly as it would under standard Linux DAC security."
msgstr ""
#: en_US/selinux-faq.xml:330(para)
msgid "Under the targeted policy, most processes run in the <computeroutput>unconfined_t</computeroutput> domain. As the name implies, these processes are mostly unconfined by the SELinux policy. They are still governed by standard Linux DAC security, however."
msgstr ""
#: en_US/selinux-faq.xml:337(para)
msgid "Those network daemons which are addressed in the targeted policy make a transition to the targeted policy when the application starts. For example, at system boot, <command>init</command> runs under the <computeroutput>unconfined_t</computeroutput> policy. When <command>named</command> starts, it makes a transition to the <computeroutput>named_t</computeroutput> domain and is locked down by the appropriate policy."
msgstr ""
#: en_US/selinux-faq.xml:346(para)
msgid "For more information on enabling or disabling targeted policy on each of the specific daemons, refer to <xref linkend=\"qa-using-s-c-securitylevel\"/>."
msgstr ""
#: en_US/selinux-faq.xml:360(para)
msgid "What programs are protected by the targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:365(para)
msgid "Currently, the list of programs is approximately:"
msgstr ""
#: en_US/selinux-faq.xml:368(para)
msgid "<filename>accton</filename>, <filename>amanda</filename>, <filename>httpd</filename> (apache), <filename>arpwatch</filename>, <filename>pam</filename>, <filename>automount</filename>, <filename>avahi</filename>, <filename>named</filename>, <filename>bluez</filename>, <filename>lilo</filename>, <filename>grub</filename>, <filename>canna</filename>, <filename>comsat</filename>, <filename>cpucontrol</filename>, <filename>cpuspeed</filename>, <filename>cups</filename>, <filename>cvs</filename>, <filename>cyrus</filename>, <filename>dbskkd</filename>, <filename>dbus</filename>, <filename>dhcpd</filename>, <filename>dictd</filename>, <filename>dmidecode</filename>, <filename>dovecot</filename>, <filename>fetchmail</filename>, <filename>fingerd</filename>, <filename>ftpd</filename> (vsftpd, proftpd, and muddleftpd), <filename>gpm</filename>, <filename>hald</filename>, <filename>hotplug</filename>, <filename>howl</filename>, <filename>innd</filename>, <filename>kerberos</file!
name>, <filename>ktalkd</filename>, <filename>openldap</filename>, <filename>auditd</filename>, <filename>syslog</filename>, <filename>logwatch</filename>, <filename>lpd</filename>, <filename>lvm</filename>, <filename>mailman</filename>, <filename>module-init-tools</filename>, <filename>mount</filename>, <filename>mysql</filename>, <filename>NetworkManager</filename>, <filename>NIS</filename>, <filename>nscd</filename>, <filename>ntp</filename>, <filename>pegasus</filename>, <filename>portmap</filename>, <filename>postfix</filename>, <filename>postgresql</filename>, <filename>pppd</filename>, <filename>pptp</filename>, <filename>privoxy</filename>, <filename>procmail</filename>, <filename>radiusd</filename>, <filename>radvd</filename>, <filename>rlogin</filename>, <filename>nfs</filename>, <filename>rsync</filename>, <filename>samba</filename>, <filename>saslauthd</filename>, <filename>snmpd</filename>, <filename>spamd</filename>, <filename>squid</filename>, <filename>stunn!
el</filename>, <filename>dhcpc</filename>, <filename>ifconfig<!
/filen
>, <filename>sysstat</filename>, <filename>tcp wrappers</filename>, <filename>telnetd</filename>, <filename>tftpd</filename>, <filename>updfstab</filename>, <filename>user management</filename> (passwd, useradd, etc.), <filename>crack</filename>, <filename>uucpd</filename>, <filename>vpnc</filename>, <filename>webalizer</filename>, <filename>xend</filename>, <filename>xfs</filename>, <filename>zebra</filename>"
msgstr ""
#: en_US/selinux-faq.xml:481(para)
msgid "What about the strict policy? Does it even work?"
msgstr ""
#: en_US/selinux-faq.xml:486(para)
msgid "The strict policy <emphasis>does</emphasis> work on Fedora Core. It is challenged by the unique environments of different users. To use the strict policy in your environment, you may need to fine-tune both the policy and your systems."
msgstr ""
#: en_US/selinux-faq.xml:492(para)
msgid "To make the strict policy easier to use, SELinux developers have tried to make the change from one policy to the other easier. For example, <command>system-config-securitylevel</command> builds a relabel into the startup scripts."
msgstr ""
#: en_US/selinux-faq.xml:507(para)
msgid "What is the mls policy? Who is it for?"
msgstr ""
#: en_US/selinux-faq.xml:512(para)
msgid "The mls policy is similar to the strict policy, but adds an additional field to security contexts for separating levels. SELinux can use these levels to separate data in an environment that calls for strict hierarchical separation. A typical example is a military setting, where data is classified at a certain level. This policy is geared toward this sort of environment, and is probably not useful to you unless you fall into this category."
msgstr ""
#: en_US/selinux-faq.xml:530(para)
msgid "What is the Reference Policy?"
msgstr ""
#: en_US/selinux-faq.xml:535(para)
msgid "The <firstterm>Reference Policy</firstterm> is a new project maintained by Tresys Technology (<ulink url=\"http://www.tresys.com/\"/>) designed to rewrite the entire SELinux policy in a way that is easier to use and understand. To do this, it uses the concepts of modularity, abstraction, and well-defined interfaces. Refer to <ulink url=\"http://serefpolicy.sourceforge.net/\"/> for more information on the Reference Policy."
msgstr ""
#: en_US/selinux-faq.xml:546(para)
msgid "Note that Reference Policy is not a new type of policy, like targeted or strict. Rather, it is a new base that policies can be built from. Targeted, strict, and mls policies can all be built from Reference Policy. In fact, one of the design goals of Reference Policy is to have a single unified source tree for the different policy variants."
msgstr ""
#: en_US/selinux-faq.xml:554(para)
msgid "Fedora policies at version 1.x are based on the traditional example policy. Version 2.x policies (as used in Fedora Core 5) are based on the Reference Policy."
msgstr ""
#: en_US/selinux-faq.xml:563(para)
msgid "What are file contexts?"
msgstr ""
#: en_US/selinux-faq.xml:568(para)
msgid "<firstterm>File contexts</firstterm> are used by the <command>setfiles</command> command to generate persistent labels which describe the security context for a file or directory."
msgstr ""
#: en_US/selinux-faq.xml:573(para)
msgid "Fedora Core ships with the <command>fixfiles</command> script, which supports three options: <option>check</option>, <option>restore</option>, and <option>relabel</option>. This script allows users to relabel the file system without having the <filename>selinux-policy-targeted-sources</filename> package installed. The command line usage is more friendly than the standard <command>setfiles</command> command."
msgstr ""
#: en_US/selinux-faq.xml:586(para)
msgid "How do I view the security context of a file, user, or process?"
msgstr ""
#: en_US/selinux-faq.xml:591(para)
msgid "The new option <option>-Z</option> is the short method for displaying the context of a subject or object:"
msgstr ""
#: en_US/selinux-faq.xml:596(replaceable)
msgid "file.foo"
msgstr ""
#: en_US/selinux-faq.xml:596(command)
msgid "ls -alZ <placeholder-1/> id -Z ps -eZ"
msgstr ""
#: en_US/selinux-faq.xml:604(para)
msgid "What is the difference between a <firstterm>domain</firstterm> and a <firstterm>type</firstterm>?"
msgstr ""
#: en_US/selinux-faq.xml:610(para)
msgid "There is no difference between a domain and a type, although domain is sometimes used to refer to the type of a process. The use of domain in this way stems from Domain and Type Enforcement (DTE) models, where domains and types are separate."
msgstr ""
#: en_US/selinux-faq.xml:620(para)
msgid "What are policy modules?"
msgstr ""
#: en_US/selinux-faq.xml:625(para)
msgid "Prior to Fedora Core 5, SELinux policies were monolithic, meaning making a change required getting the entire policy source, modifying it, compiling it, and replacing the current policy with it. With Fedora Core 5, the policy is now modular. This means that third party developers can ship policy modules with their applications, and then they can be added to the policy without having to switch out the entire policy. The new module is then added to the module store, which results in a new policy binary that is a combination of the previous policy and the new module."
msgstr ""
#: en_US/selinux-faq.xml:637(para)
msgid "This actually works by separating out compile and link steps in the policy build procedure. Policy modules are compiled from source, and linked when installed into the module store (see <xref linkend=\"faq-entry-whatis-managed-policy\"/>). This linked policy is then loaded into the kernel for enforcement."
msgstr ""
#: en_US/selinux-faq.xml:644(para)
msgid "The primary command for dealing with modules is <command>semodule</command>, which lets you perform basic functions such as installing, upgrading, or removing modules. Other useful commands include <command>checkmodule</command>, which is the module compiler and is installed with the checkpolicy rpm, as well as <command>semodule_package</command>, which creates a policy package file (.pp) from a compiled policy module."
msgstr ""
#: en_US/selinux-faq.xml:654(para)
msgid "Modules are usually stored as policy package file (.pp extension) in <filename>/usr/share/selinux/<replaceable>policyname</replaceable>/</filename>. There you should at least find the base.pp, which is the base module."
msgstr ""
#: en_US/selinux-faq.xml:661(para)
msgid "To see how to write a simple policy module, check out <xref linkend=\"faq-entry-local.te\"/>."
msgstr ""
#: en_US/selinux-faq.xml:669(para)
msgid "What is managed policy?"
msgstr ""
#: en_US/selinux-faq.xml:674(para)
msgid "Prior to Fedora Core 5, SELinux policies were handled as user-editable config files in etc. Unfortunately, this made it difficult to address many of the usability issues arising with SELinux. So, a new library, <filename>libsemanage</filename>, was added to provide userspace tools an interface to making policy management easier. All policy management should use this library to access the policy store. The policy store holds all the policy information, and is found at <filename>/etc/selinux/<replaceable>policyname</replaceable>/modules/</filename>."
msgstr ""
#: en_US/selinux-faq.xml:685(para)
msgid "You should never have to edit the store directly. Instead, you should use tools that link against libsemanage. One example tool is <command>semanage</command>, which is a command line tool for managing much of the policy such as SELinux user mappings, SELinux port mappings, and file contexts entries. Other examples of tools that use libsemanage include <command>semodule</command> which uses it to manage the SELinux policy modules installed to the policy store and <command>setsebool</command> which uses it manage SELinux policy booleans. Additionally, graphical tools are currently being developed to utilize the functionality provided by libsemanage."
msgstr ""
#: en_US/selinux-faq.xml:702(title)
msgid "Controlling SELinux"
msgstr ""
#: en_US/selinux-faq.xml:705(para)
msgid "How do I install/not install SELinux?"
msgstr ""
#: en_US/selinux-faq.xml:710(para)
msgid "The installer follows the choice you make in the <guilabel>Firewall Configuration</guilabel> screen. The default running policy is the targeted policy, and it is on by default."
msgstr ""
#: en_US/selinux-faq.xml:719(para)
msgid "As an administrator, what do I need to do to configure SELinux for my system?"
msgstr ""
#: en_US/selinux-faq.xml:725(para)
msgid "The answer might be nothing. There are many Fedora users that don't even realize that they are using SELinux. SELinux provides protection for their systems with an out-of-the-box configuration. That said, there are a couple of things an administrator might want to do to configure their system. These include:"
msgstr ""
#: en_US/selinux-faq.xml:735(term)
msgid "booleans"
msgstr ""
#: en_US/selinux-faq.xml:737(para)
msgid "Booleans are settings that can be flipped to alter SELinux policy behavior without having to write new policy. There are many booleans that can be set in Fedora, and they allow an administrator to configure SELinux to a great degree. To view the available booleans and modify their settings, use <command>system-config-securitylevel</command> or the command line tool <command>setsebool</command>."
msgstr ""
#: en_US/selinux-faq.xml:749(term)
msgid "setting customizable file contexts"
msgstr ""
#: en_US/selinux-faq.xml:751(para)
msgid "Files on an SELinux system have a security context which is stored in the extended attribute of the file (behavior can vary from filesystem to filesystem, but this is how ext3 works). These are set by <command>rpm</command> automatically, but sometimes a user might want to set a particular context on a file. An example would be setting the context on a <filename>public_html</filename> directory so that <command>apache</command> can access it, as illustrated in <xref linkend=\"faq-entry-public_html\"/>."
msgstr ""
#: en_US/selinux-faq.xml:763(para)
msgid "For a list of types that you might want to assign to files, see <filename>/etc/selinux/targeted/contexts/customizable_types</filename>. These are types commonly assigned to files by users and administrators. To set these, use the <command>chcon</command> command. Note that the types in <filename>customizable_types</filename> are also preserved after a relabel, so relabeling the system will not undo this."
msgstr ""
#: en_US/selinux-faq.xml:777(term)
msgid "making badly behaving libraries work"
msgstr ""
#: en_US/selinux-faq.xml:779(para)
msgid "There are many libraries around that behave badly and try to break the memory protections SELinux provides. These libraries should really be fixed, so please file a bug with the library maintainer. That said, they can be made to work. More information and solutions to make the libraries work can be found in <xref linkend=\"faq-entry-unconfined_t\"/>."
msgstr ""
#: en_US/selinux-faq.xml:795(para)
msgid "How do I enable/disable SELinux protection on specific daemons under the targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:801(para)
msgid "Use <command>system-config-securitylevel</command>, also known as the <application>Security Level Configuration</application> graphical tool, to control the Boolean values of specific daemons. For example, if you need to disable SELinux for Apache to run correctly in your environment, you can disable the value in <command>system-config-securitylevel</command>. This change disables the transition to the policy defined in <filename>apache.te</filename>, allowing <command>httpd</command> to remain under regular Linux DAC security."
msgstr ""
#: en_US/selinux-faq.xml:817(para)
msgid "In the past I have written local.te file in policy sources for my own local customization to policy, how do I do this in Fedora Core 5?"
msgstr ""
#: en_US/selinux-faq.xml:824(para)
msgid "Since Fedora Core 5 uses a modular policy, you don't have to have the complete policy source any more. Now, you can just create a local policy module for your local policy customizations. To do this, follow these steps."
msgstr ""
#: en_US/selinux-faq.xml:832(para)
msgid "Create a temporary directory, and change into it."
msgstr ""
#: en_US/selinux-faq.xml:836(computeroutput)
#, no-wrap
msgid "$ mkdir foo\n$ cd foo"
msgstr ""
#: en_US/selinux-faq.xml:841(para)
msgid "Create empty te, if, and fc files."
msgstr ""
#: en_US/selinux-faq.xml:845(computeroutput)
#, no-wrap
msgid "$ touch local.te local.if local.fc"
msgstr ""
#: en_US/selinux-faq.xml:849(para)
msgid "Edit the local.te file, adding appropriate content. For example:"
msgstr ""
#: en_US/selinux-faq.xml:854(computeroutput)
#, no-wrap
msgid "policy_module(local, 1.0)\n\nrequire {\n\tattribute httpdcontent;\n\ttype smbd_t;\n}\n\nallow smbd_t httpdcontent:dir create_dir_perms;\nallow smbd_t httpdcontent:{ file lnk_file } create_file_perms;"
msgstr ""
#: en_US/selinux-faq.xml:864(para)
msgid "There are 3 parts to this file."
msgstr ""
#: en_US/selinux-faq.xml:869(para)
msgid "The <computeroutput>policy_module</computeroutput> call inserts statements to make the module work, including declaring the module and requiring system roles, classes, and permissions. Make sure the name declared here (local in this case) matches the name you gave the file (local.te)."
msgstr ""
#: en_US/selinux-faq.xml:879(para)
msgid "The <computeroutput>require</computeroutput> block lists the symbols that this module uses that must be declared in other modules. In this case, we require the attribute <computeroutput>httpdcontent</computeroutput> and the type <computeroutput>smbd_t</computeroutput>. Note that all types and attributes you use in rules must be required here unless you are declaring them yourself below."
msgstr ""
#: en_US/selinux-faq.xml:891(para)
msgid "The rest of the file is the policy, in this case consisting only of a couple of allow rules. You could also place type declarations, dontaudit statements, interface calls, or most things that can go in a normal te file here."
msgstr ""
#: en_US/selinux-faq.xml:902(para)
msgid "Build the policy module."
msgstr ""
#: en_US/selinux-faq.xml:906(computeroutput)
#, no-wrap
msgid "$ make -f /usr/share/selinux/devel/Makefile\nCompliling targeted local module\n/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp\n/usr/bin/checkmodule: policy configuration loaded\n/usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod\nCreating targeted local.pp policy package\nrm tmp/local.mod.fc tmp/local.mod"
msgstr ""
#: en_US/selinux-faq.xml:914(para)
msgid "Note that this uses <command>checkmodule</command>, which is part of the checkpolicy rpm. So, make sure you install this rpm before doing this."
msgstr ""
#: en_US/selinux-faq.xml:921(para)
msgid "Become root, and install the policy module with <command>semodule</command>."
msgstr ""
#: en_US/selinux-faq.xml:926(computeroutput)
#, no-wrap
msgid "$ su\nPassword:\n# semodule -i local.pp"
msgstr ""
#: en_US/selinux-faq.xml:933(title)
msgid "Module are uniquely identified by name"
msgstr ""
#: en_US/selinux-faq.xml:934(para)
msgid "This means that if you later insert another <filename>local.pp</filename>, it will replace the one you just loaded. So, you should keep this <filename>local.te</filename> around, and just add to it if you need to make later policy customizations. If you lose it, but want to keep your previous policy around, just call the new local policy module something else (say local2.te)."
msgstr ""
#: en_US/selinux-faq.xml:948(para)
msgid "I have some avc denials that I would like to allow, how do I do this?"
msgstr ""
#: en_US/selinux-faq.xml:953(para)
msgid "If you have specific AVC messages you can use <command>audit2allow</command> to generate a Type Enforcement file that is ready to load as a policy module."
msgstr ""
#: en_US/selinux-faq.xml:960(command)
msgid "audit2allow -M local < /tmp/avcs"
msgstr ""
#: en_US/selinux-faq.xml:962(para)
msgid "This creates a <filename>local.pp</filename> which you can then load into the kernel using <command>semodule -i local.pp</command>. You can also edit the <filename>local.te</filename> to make additional customizations. To create a module allowing all the denials since the last reboot that you can then customize, execute the following:"
msgstr ""
#: en_US/selinux-faq.xml:972(command)
msgid "audit2allow -m local -l -i /var/log/messages > local.te"
msgstr ""
#: en_US/selinux-faq.xml:974(para)
msgid "Note that the above assumes you are not using the audit daemon. If you were using the audit daemon, then you should use <filename>/var/log/audit/audit.log</filename> instead of <filename>/var/log/messages</filename> as your log file. This generates a <filename>local.te</filename> file, that looks similar to the following:"
msgstr ""
#: en_US/selinux-faq.xml:983(computeroutput)
#, no-wrap
msgid "module local 1.0;\n\nrequire {\n class file { append execute execute_no_trans getattr ioctl read write };\n type httpd_t;\n type httpd_w3c_script_exec_t;\n };\n\n\nallow httpd_t httpd_w3c_script_exec_t:file { execute execute_no_trans getattr ioctl read };"
msgstr ""
#: en_US/selinux-faq.xml:994(para)
msgid "You can hand edit this file, removing allow statements that you don't want to allow, and then recompile and reload it using"
msgstr ""
#: en_US/selinux-faq.xml:1001(para)
msgid "<command>checkmodule -M -m -o local.mod local.te</command> to compile the te file. Note that <command>checkmodule</command> is part of the checkpolicy rpm, so you need to have it installed."
msgstr ""
#: en_US/selinux-faq.xml:1009(para)
msgid "<command>semodule_package -o local.pp -m local.mod</command> to create a policy package."
msgstr ""
#: en_US/selinux-faq.xml:1015(para)
msgid "<command>semodule -i local.pp</command> to add it to the current machine's running policy. This installs a new module called local with these rules into the module store."
msgstr ""
#: en_US/selinux-faq.xml:1023(title)
msgid "Important"
msgstr ""
#: en_US/selinux-faq.xml:1024(para)
msgid "In order to load this newly created policy package into the kernel, you are required to execute <command>semodule -i local.pp</command>"
msgstr ""
#: en_US/selinux-faq.xml:1029(para)
msgid "Note that if you later install another module called local, it will replace this module. If you want to keep these rules around, then you either need to append future customizations to this local.te, or give future customizations a different name."
msgstr ""
#: en_US/selinux-faq.xml:1041(para)
msgid "How can I help write policy?"
msgstr ""
#: en_US/selinux-faq.xml:1046(para)
msgid "Your help is definitely appreciated."
msgstr ""
#: en_US/selinux-faq.xml:1051(para)
msgid "You can start by joining the Fedora SELinux mailing list. You can subscribe and read the archives at <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\"/>."
msgstr ""
#: en_US/selinux-faq.xml:1058(para)
msgid "The Unofficial FAQ has some generic policy writing HOWTO information. Refer to <ulink url=\"http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266#BSP.1\"/> for more information."
msgstr ""
#: en_US/selinux-faq.xml:1066(para)
msgid "Another new resource is the Writing SE Linux policy HOWTO, located online at <ulink url=\"https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266\"/>."
msgstr ""
#: en_US/selinux-faq.xml:1073(para)
msgid "Also, since the Fedora Core 5 policy is based on the <xref linkend=\"faq-entry-whatis-refpolicy\"/>, you should look at the documentation on its project page. Another excellent source of information is the example policy files in <filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename> and <filename>/usr/share/selinux/devel</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1081(para)
msgid "If you want to create a new policy domain, you can look at the interface files in the <filename>/usr/share/selinux/devel</filename> sub-directories. There is also a tool there to help you get started. The following procedure is an example:"
msgstr ""
#: en_US/selinux-faq.xml:1090(para)
msgid "Use the <command>policygentool</command> command to generate your own <filename>te</filename>, <filename>fc</filename> and <filename>if</filename> files. The <command>policygentool</command> command takes two parameters: the name of the policy module and the full path to the executable. The following command gives a usage example:"
msgstr ""
#: en_US/selinux-faq.xml:1099(replaceable)
msgid "mydaemon /usr/sbin/mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1099(command)
msgid "policygentool <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1101(para)
msgid "It will prompt you for a few common domain characteristics, and will create three files: <filename>mydaemon.te</filename>, <filename>mydaemon.fc</filename> and <filename>mydaemon.if</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1110(para)
msgid "After you generate the policy files, use the supplied Makefile, <filename>/usr/share/selinux/devel/Makefile</filename>, to build a policy package (<filename>mydaemon.pp</filename>):"
msgstr ""
#: en_US/selinux-faq.xml:1118(command)
msgid "make -f /usr/share/selinux/devel/Makefile"
msgstr ""
#: en_US/selinux-faq.xml:1122(para)
msgid "Now you can load the policy module, using <command>semodule</command>, and relabel the executable using <command>restorecon</command>:"
msgstr ""
#: en_US/selinux-faq.xml:1128(replaceable)
msgid "mydaemon.pp"
msgstr ""
#: en_US/selinux-faq.xml:1128(command)
msgid "semodule -i <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1129(replaceable)
msgid "/usr/sbin/mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1129(command)
msgid "restorecon -v <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1133(para)
msgid "Since you have very limited policy for your executable, SELinux will prevent it from doing much. Turn on permissive mode and then use the init script to start your daemon:"
msgstr ""
#: en_US/selinux-faq.xml:1139(command)
msgid "setenforce 0"
msgstr ""
#: en_US/selinux-faq.xml:1140(replaceable)
msgid "mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1140(command)
msgid "service <placeholder-1/> restart"
msgstr ""
#: en_US/selinux-faq.xml:1144(para)
msgid "Now you can collect avc messages. You can use <command>audit2allow</command> to translate the avc messages to allow rules and begin updating your <filename>mydaemon.te</filename> file. You should search for interface macros in the <filename>/usr/share/selinux/devel/include</filename> directory and use these instead of using the allow rules directly, whenever possible. <command>audit2allow -R</command> will attempt to find interfaces that match the allow rule. If you want more examples of policy, you could always install the selinux-policy src rpm, which contains all of the policy te files for the reference policy."
msgstr ""
#: en_US/selinux-faq.xml:1162(para)
msgid "How do I switch the policy I am currently using?"
msgstr ""
#: en_US/selinux-faq.xml:1168(title)
msgid "Use caution when switching policy"
msgstr ""
#: en_US/selinux-faq.xml:1169(para)
msgid "Other than trying out a new policy on a test machine for research purposes, you should seriously consider your situation before switching to a different policy on a production system. The act of switching is straightforward. This method is fairly safe, but you should try it first on a test system."
msgstr ""
#: en_US/selinux-faq.xml:1177(para)
msgid "To use the automated method, run the <application>Security Level Configuration</application> tool. From the GUI Main Menu, select <menuchoice><guimenu>Desktop</guimenu><guisubmenu>System Settings</guisubmenu><guimenuitem>Security level</guimenuitem></menuchoice>, or from a terminal, run <command>system-config-securitylevel</command>. Change the policy as desired and ensure that the <guilabel>Relabel on next reboot</guilabel> option is enabled."
msgstr ""
#: en_US/selinux-faq.xml:1189(para)
msgid "You can also perform these steps manually with the following procedure:"
msgstr ""
#: en_US/selinux-faq.xml:1195(para)
msgid "Edit <filename>/etc/selinux/config</filename> and change the type and the mode of policy:"
msgstr ""
#: en_US/selinux-faq.xml:1200(replaceable)
msgid "policyname"
msgstr ""
#: en_US/selinux-faq.xml:1200(userinput)
#, no-wrap
msgid "SELINUXTYPE=<placeholder-1/>\nSELINUX=permissive"
msgstr ""
#: en_US/selinux-faq.xml:1203(para)
msgid "This step ensures are not locked out after rebooting. SELinux runs under the correct policy, but does allow you to login if there is a problem such as incorrect file context labeling."
msgstr ""
#: en_US/selinux-faq.xml:1211(para)
msgid "Set the system to relabel the file system on reboot:"
msgstr ""
#: en_US/selinux-faq.xml:1215(command)
msgid "touch /.autorelabel"
msgstr ""
#: en_US/selinux-faq.xml:1219(para)
msgid "Reboot the system. A clean restart under the new policy allows all system processes to be started in the proper context, and reveals any problems in the policy change."
msgstr ""
#: en_US/selinux-faq.xml:1226(para)
msgid "Confirm your changes took effect with the following command:"
msgstr ""
#: en_US/selinux-faq.xml:1230(command)
msgid "sestatus -v"
msgstr ""
#: en_US/selinux-faq.xml:1232(para)
msgid "With the new system running in <computeroutput>permissive</computeroutput> mode, check <filename>/var/log/messages</filename> for <computeroutput>avc: denied</computeroutput> messages. These may indicate a problem that needs to be solved for the system to run without trouble under the new policy."
msgstr ""
#: en_US/selinux-faq.xml:1242(para)
msgid "When you are satisfied that the system runs stable under the new policy, enable enforcing by changing <computeroutput>SELINUX=enforcing</computeroutput>. You can either reboot or run <command>setenforce 1</command> to turn enforcing on in real time."
msgstr ""
#: en_US/selinux-faq.xml:1255(para)
msgid "How can I back up files from an SELinux file system?"
msgstr ""
#: en_US/selinux-faq.xml:1260(para)
msgid "Use the <command>star</command> utility, which supports the extended attributes that store the security context labels. Specify the <option>-xattr</option> and <option>-H=exustar</option> options when creating archives."
msgstr ""
#: en_US/selinux-faq.xml:1267(command)
msgid "ls -Z /var/log/maillog"
msgstr ""
#: en_US/selinux-faq.xml:1269(command)
msgid "cd /var/log star -xattr -H=exustar -c -f maillog.star ./maillog*"
msgstr ""
#: en_US/selinux-faq.xml:1266(screen)
#, no-wrap
msgid "\n<placeholder-1/>\n-rw------- root root system_u:object_r:var_log_t /var/log/maillog\n<placeholder-2/>\n"
msgstr ""
#: en_US/selinux-faq.xml:1273(title)
msgid "Absolute paths can overwrite existing data"
msgstr ""
#: en_US/selinux-faq.xml:1274(para)
msgid "If you use an absolute path, such as <filename>/var/log/maillog</filename>, when you unpack the archive with <command>star -c -f</command>, the files are restored on the same path they were archived with. The <filename>maillog</filename> file attempts to write to <filename>/var/log/maillog</filename>. You should received a warning from <command>star</command> if the files about to be overwritten have a later date, but you cannot rely on this behavior."
msgstr ""
#: en_US/selinux-faq.xml:1285(para)
msgid "Consider carefully how you construct your archiving argument."
msgstr ""
#: en_US/selinux-faq.xml:1293(para)
msgid "How can I install the strict policy by default with kickstart?"
msgstr ""
#: en_US/selinux-faq.xml:1300(para)
msgid "Under the <computeroutput>%packages</computeroutput> section, add <filename>selinux-policy-strict</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1306(para)
msgid "Under the <computeroutput>%post</computeroutput> section, add the following:"
msgstr ""
#: en_US/selinux-faq.xml:1311(computeroutput)
#, no-wrap
msgid "lokkit -q --selinuxtype=strict\ntouch /.autorelabel"
msgstr ""
#: en_US/selinux-faq.xml:1320(para)
msgid "How do I make a user <filename>public_html</filename> directory work under SELinux?"
msgstr ""
#: en_US/selinux-faq.xml:1326(para)
msgid "This process presumes that you have enabled user public HTML directories in your Apache configuration file, <filename>/etc/httpd/conf/httpd.conf</filename>. This process only covers serving static Web content. For more information about Apache HTTP and SELinux, refer to <ulink url=\"http://fedora.redhat.com/docs/selinux-apache-fc3/\"/>."
msgstr ""
#: en_US/selinux-faq.xml:1336(para)
msgid "If you do not already have a <filename>~/public_html</filename> directory, create it and populate it with the files and folders to be served."
msgstr ""
#: en_US/selinux-faq.xml:1342(userinput)
#, no-wrap
msgid "cd ~\nmkdir public_html\ncp /path/to/content ~/public_html"
msgstr ""
#: en_US/selinux-faq.xml:1348(para)
msgid "At this point, <command>httpd</command> is configured to serve the contents, but you still receive a <computeroutput>403\n\t\t forbidden</computeroutput> error. This is because <command>httpd</command> is not allowed to read the security type for the directory and files as they are created in the user's home directory. Change the security context of the folder and its contents recursively using the <option>-R</option> option:"
msgstr ""
#: en_US/selinux-faq.xml:1359(userinput)
#, no-wrap
msgid "ls -Z -d public_html/"
msgstr ""
#: en_US/selinux-faq.xml:1360(computeroutput)
#, no-wrap
msgid "drwxrwxr-x auser auser user_u:object_r:user_home_t public_html"
msgstr ""
#: en_US/selinux-faq.xml:1361(userinput)
#, no-wrap
msgid "chcon -R -t httpd_user_content_t public_html/\nls -Z -d public_html/"
msgstr ""
#: en_US/selinux-faq.xml:1363(computeroutput)
#, no-wrap
msgid "drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/"
msgstr ""
#: en_US/selinux-faq.xml:1364(userinput)
#, no-wrap
msgid "ls -Z public_html/"
msgstr ""
#: en_US/selinux-faq.xml:1365(computeroutput)
#, no-wrap
msgid "-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html\n-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz.html\n-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t foo.html"
msgstr ""
#: en_US/selinux-faq.xml:1369(para)
msgid "You may notice at a later date that the user field, set here to <computeroutput>user_u</computeroutput>, is changed to <computeroutput>system_u</computeroutput>. This does not affect how the targeted policy works. The field that matters is the type field."
msgstr ""
#: en_US/selinux-faq.xml:1378(para)
msgid "Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using <command>system-config-securitylevel</command>. Select the <guilabel>SELinux</guilabel> tab, and then select the <guilabel>Modify SELinux Policy</guilabel> area. Select <computeroutput>Allow HTTPD to read home\n\t\t directories</computeroutput>. The changes take effect immediately."
msgstr ""
#: en_US/selinux-faq.xml:1395(para)
msgid "How do I turn SELinux off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:1400(para)
msgid "Set <computeroutput>SELINUX=disabled</computeroutput> in <filename>/etc/selinux/config</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1404(para)
msgid "Alternatively, you can add <option>selinux=0</option> to your kernel boot parameters. However, this option is not recommended."
msgstr ""
#: en_US/selinux-faq.xml:1409(title)
msgid "Be careful when disabling SELinux"
msgstr ""
#: en_US/selinux-faq.xml:1410(para)
msgid "If you boot with <option>selinux=0</option>, any files you create while SELinux is disabled do not have SELinux context information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option <option>emergency</option> to your kernel boot parameters."
msgstr ""
#: en_US/selinux-faq.xml:1424(para)
msgid "How do I turn enforcing on/off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:1429(para)
msgid "You can specify the SELinux mode using the configuration file <filename>/etc/sysconfig/selinux</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1434(computeroutput)
#, no-wrap
msgid "# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded."
msgstr ""
#: en_US/selinux-faq.xml:1439(replaceable)
msgid "enforcing"
msgstr ""
#: en_US/selinux-faq.xml:1440(computeroutput)
#, no-wrap
msgid "# SELINUXTYPE= type of policy in use. Possible values are:\n# targeted - Only targeted network daemons are protected.\n# strict - Full SELinux protection."
msgstr ""
#: en_US/selinux-faq.xml:1443(replaceable)
msgid "targeted"
msgstr ""
#: en_US/selinux-faq.xml:1433(screen)
#, no-wrap
msgid "\n<placeholder-1/>\nSELINUX=<userinput><placeholder-2/></userinput>\n<placeholder-3/>\nSELINUXTYPE=<userinput><placeholder-4/></userinput>\n"
msgstr ""
#: en_US/selinux-faq.xml:1445(para)
msgid "Setting the value to <computeroutput>enforcing</computeroutput> is the same as adding <option>enforcing=1</option> to the kernel boot parameters. Setting the value to <computeroutput>permissive</computeroutput> is the same as adding <option>enforcing=0</option> to the kernel boot parameters."
msgstr ""
#: en_US/selinux-faq.xml:1452(para)
msgid "However, setting the value to <computeroutput>disabled</computeroutput> is not the same as the <option>selinux=0</option> kernel boot parameter. Rather than fully disabling SELinux in the kernel, the <computeroutput>disabled</computeroutput> setting instead turns enforcing off and skips loading a policy."
msgstr ""
#: en_US/selinux-faq.xml:1461(title)
msgid "SELinux Configuration Precedence"
msgstr ""
#: en_US/selinux-faq.xml:1462(para)
msgid "The command line kernel parameter overrides the configuration file."
msgstr ""
#: en_US/selinux-faq.xml:1471(para)
msgid "How do I temporarily turn off enforcing mode without having to reboot?"
msgstr ""
#: en_US/selinux-faq.xml:1477(para)
msgid "Occasionally you may need to perform an action that is normally prevented by policy. Run the command <command>setenforce 0</command> to turn off enforcing mode in real time. When you are finished, run <command>setenforce 1</command> to turn enforcing back on."
msgstr ""
#: en_US/selinux-faq.xml:1485(title)
msgid "<computeroutput>sysadm_r</computeroutput> Role Required for strict policy"
msgstr ""
#: en_US/selinux-faq.xml:1487(para)
msgid "You must issue the <command>setenforce</command> command with the <computeroutput>sysadm_r</computeroutput> role if you are using strict policy. If you are using the standard targeted policy, then this is not necessary. Use the <command>newrole</command> command to assume this role."
msgstr ""
#: en_US/selinux-faq.xml:1499(para)
msgid "How do I turn system call auditing on/off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:1504(para)
msgid "Add <option>audit=1</option> to your kernel command line to turn system call auditing on. Add <option>audit=0</option> to your kernel command line to turn system call auditing off."
msgstr ""
#: en_US/selinux-faq.xml:1509(para)
msgid "System-call auditing is <emphasis>on</emphasis> by default. When on, it provides information about the system call that was executing when SELinux generated a <computeroutput>denied</computeroutput> message. The error message is helpful when debugging policy."
msgstr ""
#: en_US/selinux-faq.xml:1520(para)
msgid "How do I temporarily turn off system-call auditing without having to reboot?"
msgstr ""
#: en_US/selinux-faq.xml:1526(para)
msgid "Run <command>auditctl -e 0</command>. Note that this command does not affect auditing of SELinux AVC denials."
msgstr ""
#: en_US/selinux-faq.xml:1534(para)
msgid "How do I get status info about my SELinux installation?"
msgstr ""
#: en_US/selinux-faq.xml:1539(para)
msgid "As root, execute the command <command>/usr/sbin/sestatus -v</command>. For more information, refer to the <filename>sestatus(8)</filename> manual page."
msgstr ""
#: en_US/selinux-faq.xml:1548(para)
msgid "How do I write policy to allow a domain to use pam_unix.so?"
msgstr ""
#: en_US/selinux-faq.xml:1553(para)
msgid "Very few domains in the SELinux world are allowed to read the <filename>/etc/shadow</filename> file. There are constraint rules that prevent policy writers from writing code like"
msgstr ""
#: en_US/selinux-faq.xml:1559(command)
msgid "allow mydomain_t shadow_t:file read;"
msgstr ""
#: en_US/selinux-faq.xml:1561(para)
msgid "In RHEL4 you can setup your domain to use the <command>unix_chkpwd</command> command. The easiest way is to use the <command>unix_chkpwd</command> attribute. So if you were writing policy for an ftpd daemon you would write something like"
msgstr ""
#: en_US/selinux-faq.xml:1568(command)
msgid "daemon_domain(vsftpd, `auth_chkpwd')"
msgstr ""
#: en_US/selinux-faq.xml:1570(para)
msgid "This would create a context where vsftpd_t -> chkpwd_exec_t -> system_chkpwd_t which can read <filename>/etc/shadow</filename>, while vsftpd_t is not able to read it."
msgstr ""
#: en_US/selinux-faq.xml:1576(para)
msgid "In Fedora Core 5/RHEL5, add the rule"
msgstr ""
#: en_US/selinux-faq.xml:1580(command)
msgid "auth_domtrans_chk_passwd(vsftpd_t)"
msgstr ""
#: en_US/selinux-faq.xml:1586(para)
msgid "I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel?"
msgstr ""
#: en_US/selinux-faq.xml:1592(para)
msgid "You need to execute the command <command>semodule -i myapp.pp</command>. This modifies the policy that is stored on the machine. Your policy module now is loaded with the rest of the policy. You can even remove the pp file from the system."
msgstr ""
#: en_US/selinux-faq.xml:1598(para)
msgid "<command>semodule -l</command> lists the currently loaded modules."
msgstr ""
#: en_US/selinux-faq.xml:1603(computeroutput)
#, no-wrap
msgid "#semodule -i \nmyapp 1.2.1"
msgstr ""
#: en_US/selinux-faq.xml:1606(para)
msgid "If you later would like to remove the policy package, you can execute <command>semodule -r myapp</command>."
msgstr ""
#: en_US/selinux-faq.xml:1614(title)
msgid "Resolving Problems"
msgstr ""
#: en_US/selinux-faq.xml:1617(para)
msgid "Where are SELinux AVC messages (denial logs, etc.) stored?"
msgstr ""
#: en_US/selinux-faq.xml:1622(para)
msgid "In Fedora Core 2 and 3, SELinux AVC messages could be found in <filename>/var/log/messages</filename>. In Fedora Core 4, the audit daemon was added, and these messages moved to <filename>/var/log/audit/audit.log</filename>. In Fedora Core 5, the audit daemon is not installed by default, and consequently these messages can be found in <filename>/var/log/messages</filename> unless you choose to install and enable the audit daemon, in which case AVC messages will be in <filename>/var/log/audit/audit.log</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1639(para)
msgid "My application isn't working as expected and I am seeing <computeroutput>avc: denied</computeroutput> messages. How do I fix this?"
msgstr ""
#: en_US/selinux-faq.xml:1646(para)
msgid "This message means that the current SELinux policy is not allowing the application to do something. There are a number of reasons this could happen."
msgstr ""
#: en_US/selinux-faq.xml:1651(para)
msgid "First, one of the files the application is trying to access could be mislabeled. If the AVC message refers to a specific file, inspect its current label with <command>ls -alZ <replaceable>/path/to/file</replaceable></command>. If it seems wrong, use the command <command>restorecon -v <replaceable>/path/to/file</replaceable></command> to restore the file's default context. If you have a large number of denials related to files, you may want to use <command>fixfiles relabel</command>, or run <command>restorecon -R <replaceable>/path</replaceable></command> to recursively relabel a directory path."
msgstr ""
#: en_US/selinux-faq.xml:1664(para)
msgid "Denials are sometimes due to a configuration change in the program that triggered the denial message. For example, if you change Apache to also listen on port 8800, you must also change the security policy, <filename>apache.te</filename>. Refer to <xref linkend=\"external-link-list\"/> for more information about writing policy."
msgstr ""
#: en_US/selinux-faq.xml:1672(para)
msgid "If you are having trouble getting a specific application like Apache to work, refer to <xref linkend=\"qa-using-s-c-securitylevel\"/> for information on disabling enforcement just for that application."
msgstr ""
#: en_US/selinux-faq.xml:1704(para)
msgid "I installed Fedora Core on a system with an existing <filename>/home</filename> partition, and now I can't log in."
msgstr ""
#: en_US/selinux-faq.xml:1710(para)
msgid "Your <filename>/home</filename> partition is not labeled correctly. You can easily fix this two different ways."
msgstr ""
#: en_US/selinux-faq.xml:1714(para)
msgid "If you just want to relabel <filename>/home</filename> recursively:"
msgstr ""
#: en_US/selinux-faq.xml:1719(command)
msgid "/sbin/restorecon -v -R /home"
msgstr ""
#: en_US/selinux-faq.xml:1721(para)
msgid "If you want to be sure there are no other files incorrectly labeled, you can relabel the entire file system:"
msgstr ""
#: en_US/selinux-faq.xml:1726(command)
msgid "/sbin/fixfiles relabel"
msgstr ""
#: en_US/selinux-faq.xml:1728(para)
msgid "You must have the <filename>policycoreutils</filename> package installed to use <command>fixfiles</command>."
msgstr ""
#: en_US/selinux-faq.xml:1736(para)
msgid "After relabeling my <filename>/home</filename> using <command>setfiles</command> or <command>fixfiles</command>, am I still be able to read <filename>/home</filename> with a non-SELinux-enabled system?"
msgstr ""
#: en_US/selinux-faq.xml:1744(para)
msgid "You can read the files from a non-SELinux distribution, or one with SELinux disabled. However, files created by a system not using SELinux systems do not have a security context, nor do any files you remove and recreate. This could be a challenge with files such as <filename>~/.bashrc</filename>. You may have to relabel <filename>/home</filename> when you reboot the SELinux enabled Fedora Core system."
msgstr ""
#: en_US/selinux-faq.xml:1757(para)
msgid "How do I share directories using NFS between Fedora Core and non-SELinux systems?"
msgstr ""
#: en_US/selinux-faq.xml:1763(para)
msgid "Just as NFS transparently supports many file system types, it can be used to share directories between SELinux and non-SELinux systems."
msgstr ""
#: en_US/selinux-faq.xml:1767(para)
msgid "When you mount a non-SELinux file system via NFS, by default SELinux treats all the files in the share as having a context of <computeroutput>nfs_t</computeroutput>. You can override the default context by setting it manually, using the <option>context=</option> option. The following command makes the files in the NFS mounted directory appear to have a context of <computeroutput>system_u:object_r:tmp_t</computeroutput> to SELinux:"
msgstr ""
#: en_US/selinux-faq.xml:1777(command)
msgid "mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo"
msgstr ""
#: en_US/selinux-faq.xml:1780(para)
msgid "When SELinux exports a file system via NFS, newly created files have the context of the directory they were created in. In other words, the presence of SELinux on the remote mounting system has no effect on the local security contexts."
msgstr ""
#: en_US/selinux-faq.xml:1790(para)
msgid "How can I create a new Linux user account with the user's home directory having the proper context?"
msgstr ""
#. wtf was I trying to say here?
#. <para>
#. This depends on the policy you are running. A very restrictive
#. policy requires you to change
#. </para>
#: en_US/selinux-faq.xml:1802(para)
msgid "You can create your new user with the standard <command>useradd</command> command. First you must become <systemitem class=\"username\">root</systemitem>. Under the strict policy you need to change role to <computeroutput>sysadm_r</computeroutput> with the following command:"
msgstr ""
#: en_US/selinux-faq.xml:1811(userinput)
#, no-wrap
msgid "newrole -r sysadm_r"
msgstr ""
#: en_US/selinux-faq.xml:1813(para)
msgid "For the targeted policy you do not need to switch roles, staying in <computeroutput>unconfined_t</computeroutput>:"
msgstr ""
#: en_US/selinux-faq.xml:1819(userinput)
#, no-wrap
msgid "su - root\nid -Z"
msgstr ""
#: en_US/selinux-faq.xml:1821(computeroutput)
#, no-wrap
msgid "root:system_r:unconfined_t"
msgstr ""
#: en_US/selinux-faq.xml:1822(userinput)
#, no-wrap
msgid "useradd auser\nls -Z /home"
msgstr ""
#: en_US/selinux-faq.xml:1824(computeroutput)
#, no-wrap
msgid "drwx------ auser auser root:object_r:user_home_dir_t /home/auser"
msgstr ""
#: en_US/selinux-faq.xml:1826(para)
msgid "The initial context for a new user directory has an identity of <computeroutput>root</computeroutput>. Subsequent relabeling of the file system changes the identity to <computeroutput>system_u</computeroutput>. These are functionally the same since the role and type are identical (<computeroutput>object_r:user_home_dir_t</computeroutput>.)"
msgstr ""
#: en_US/selinux-faq.xml:1838(para)
msgid "Does the <command>su</command> command change my SELinux identity and role?"
msgstr ""
#: en_US/selinux-faq.xml:1844(para)
msgid "In previous versions of Fedora Core, security context transitions were integrated into the <command>su</command> via <computeroutput>pam_selinux</computeroutput>. This turned out to be more trouble than it was worth, and is quite unnecessary on a system running targeted policy. So, this is no longer the case. Now, <command>su</command>/<command>sudo</command> only change the Linux identy. You will need to use <command>newrole</command> to change the SELinux identity, role, or level."
msgstr ""
#: en_US/selinux-faq.xml:1854(para)
msgid "Other forms of Linux/<trademark class=\"registered\">UNIX</trademark> identity change, for example <command>setuid(2)</command>, also do not cause an SELinux identity change."
msgstr ""
#: en_US/selinux-faq.xml:1864(para)
msgid "I'm having troubles with <command>avc</command> errors filling my logs for a particular program. How do I choose not to audit the access for it?"
msgstr ""
#: en_US/selinux-faq.xml:1871(para)
msgid "If you wanted to not audit <command>dmesg</command>, for example, you would put this in your <filename>dmesg.te</filename> file:"
msgstr ""
#: en_US/selinux-faq.xml:1878(userinput)
#, no-wrap
msgid "dontaudit dmesg_t userdomain:fd { use };"
msgstr ""
#: en_US/selinux-faq.xml:1880(para)
msgid "This eliminates the error output to the terminal for all user domains, including <varname>user</varname>, <varname>staff</varname> and <varname>sysadm</varname>."
msgstr ""
#: en_US/selinux-faq.xml:1889(para)
msgid "Even running in permissive mode, I'm getting a large number of <computeroutput>avc denied</computeroutput> messages."
msgstr ""
#: en_US/selinux-faq.xml:1895(para)
msgid "In a non-enforcing mode, you should actually receive <emphasis>more</emphasis> messages than in enforcing mode. The kernel logs each access denial as if you were in an enforcing mode. Since you are not restricted by policy enforcement, you can perform more actions, which results in more denials being logged."
msgstr ""
#: en_US/selinux-faq.xml:1902(para)
msgid "If an application running under an enforcing mode is denied access to read a number of files in a directory, it is stopped once at the beginning of the action. In a non-enforcing mode, the application is not stopped from traversing the directory tree, and generates a denial message for each file read in the directory."
msgstr ""
#: en_US/selinux-faq.xml:1914(para)
msgid "I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in <filename>/var/log/messages</filename> (or <filename>/var/log/audit/audit.log</filename> if using the audit daemon). How can I identify the cause of these silent denials?"
msgstr ""
#: en_US/selinux-faq.xml:1924(para)
msgid "The most common reason for a silent denial is when the policy contains an explicit <computeroutput>dontaudit</computeroutput> rule to suppress audit messages. The <computeroutput>dontaudit</computeroutput> rule is often used this way when a benign denial is filling the audit logs."
msgstr ""
#: en_US/selinux-faq.xml:1931(para)
msgid "To look for your particular denial, enable auditing of all <computeroutput>dontaudit</computeroutput> rules:"
msgstr ""
#: en_US/selinux-faq.xml:1936(command)
msgid "semodule -b /usr/share/selinux/targeted/enableaudit.pp"
msgstr ""
#: en_US/selinux-faq.xml:1939(title)
msgid "Enabled <computeroutput>dontaudit</computeroutput> output is verbose"
msgstr ""
#: en_US/selinux-faq.xml:1941(para)
msgid "Enabling auditing of all <computeroutput>dontaudit</computeroutput> rules likely produce a large amount of audit information, most of which is irrelevant to your denial."
msgstr ""
#: en_US/selinux-faq.xml:1947(para)
msgid "Use this technique only if you are specifically looking for an audit message for a denial that seems to occur silently. You want to re-enable <computeroutput>dontaudit</computeroutput> rules as soon as possible."
msgstr ""
#: en_US/selinux-faq.xml:1955(para)
msgid "Once you have found your problem you can reset to the default mode by executing"
msgstr ""
#: en_US/selinux-faq.xml:1960(command)
msgid "semodule -b /usr/share/selinux/targeted/base.pp"
msgstr ""
#: en_US/selinux-faq.xml:1990(para)
msgid "Why do I not see the output when I run certain daemons in debug or interactive mode?"
msgstr ""
#: en_US/selinux-faq.xml:1996(para)
msgid "SELinux intentionally disables access to the tty devices to stop daemons from communicating back with the controlling terminal. This communication is a potential security hole because such daemons could insert commands into the controlling terminal. A broken or compromised program could use this hole to cause serious problems."
msgstr ""
#: en_US/selinux-faq.xml:2004(para)
msgid "There are a few ways you can capture standard output from daemons. One method is to pipe the output to the cat command."
msgstr ""
#: en_US/selinux-faq.xml:2009(command)
msgid "snmpd -v | cat"
msgstr ""
#: en_US/selinux-faq.xml:2011(para)
msgid "When debugging a daemon, you may want to turn off the transition of the daemon to its specific domain. You can do this using <command>system-config-securitylevel</command> or <command>setsebool</command> on the command line."
msgstr ""
#: en_US/selinux-faq.xml:2017(para)
msgid "A final option is to turn off enforcing mode while debugging. Issue the command <command>setenforce 0</command> to turn off enforcing mode, and use the command <command>setenforce 1</command> to re-enable SELinux when you are finished debugging."
msgstr ""
#: en_US/selinux-faq.xml:2027(para)
msgid "When I do an upgrade of the policy package (for example, using <command>yum</command>), what happens with the policy? Is it updated automatically?"
msgstr ""
#: en_US/selinux-faq.xml:2034(para)
msgid "Policy reloads itself when the package is updated. This behavior replaces the manual <command>make load</command>."
msgstr ""
#: en_US/selinux-faq.xml:2038(para)
msgid "In certain situations, you may need to relabel the file system. This might occur as part of an SELinux bug fix where file contexts become invalid, or when the policy update makes changes to the file <filename>/etc/selinux/targeted/contexts/files/file_contexts</filename>."
msgstr ""
#: en_US/selinux-faq.xml:2045(para)
msgid "After the file system is relabeled, a <command>reboot</command> is not required, but is useful in ensuring every process and program is running in the proper domain. This is highly dependent on the changes in the updated policy."
msgstr ""
#: en_US/selinux-faq.xml:2051(para)
msgid "To relabel, you have several options. You may use the <command>fixfiles</command> command:"
msgstr ""
#: en_US/selinux-faq.xml:2056(command)
msgid "fixfiles relabel reboot"
msgstr ""
#: en_US/selinux-faq.xml:2059(para)
msgid "Alternately, use the <filename>/.autorelabel</filename> mechanism:"
msgstr ""
#: en_US/selinux-faq.xml:2063(command)
msgid "touch /.autorelabel reboot"
msgstr ""
#: en_US/selinux-faq.xml:2070(para)
msgid "If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package?"
msgstr ""
#: en_US/selinux-faq.xml:2077(para)
msgid "Yes. The security contexts for the files owned by the package are stored in the header data for the package. The file contexts are set directly after the <command>cpio</command> copy, as the package files are being put on the disk."
msgstr ""
#: en_US/selinux-faq.xml:2162(para)
msgid "Why do binary policies distributed with Fedora, such as <filename>/etc/selinux/<replaceable><policyname></replaceable>/policy/policy.<replaceable><version></replaceable></filename>, and those I compile myself have different sizes and MD5 checksums?"
msgstr ""
#: en_US/selinux-faq.xml:2169(para)
msgid "When you install a policy package, pre-compiled binary policy files are put directly into <filename>/etc/selinux</filename>. The different build environments will make target files that have different sizes and MD5 checksums."
msgstr ""
#: en_US/selinux-faq.xml:2179(para)
msgid "Will new policy packages disable my system?"
msgstr ""
#: en_US/selinux-faq.xml:2184(para)
msgid "There is a possibility that changes in the policy package or in the policy shipping with an application package can cause errors, more denials, or other unknown behaviors. You can discover which package caused the breakage by reverting policy and application packages one at a time. If you don't want to return to the previous package, the older version of the configuration files will be saved with the extension <filename class=\"extension\">.rpmsave</filename>. Use the mailing lists, bugzilla, and IRC to help you work through your problem. If you are able, write or fix policy to resolve your problem."
msgstr ""
#: en_US/selinux-faq.xml:2201(para)
msgid "My console is being flooded with messages. How do I turn them off?"
msgstr ""
#: en_US/selinux-faq.xml:2207(para)
msgid "To regain useful control, turn off kernel messages to the console with this command:"
msgstr ""
#: en_US/selinux-faq.xml:2212(command)
msgid "dmesg -n 1"
msgstr ""
#: en_US/selinux-faq.xml:2218(para)
msgid "Can I test the default policy without installing the policy source?"
msgstr ""
#: en_US/selinux-faq.xml:2224(para)
msgid "You can test SELinux default policy by installing just the <filename>selinux-policy-<replaceable>policyname</replaceable></filename> and <filename>policycoreutils</filename> packages. Without the policy source installed, the <command>fixfiles</command> command automates the file system relabeling."
msgstr ""
#: en_US/selinux-faq.xml:2231(para)
msgid "The command <command>fixfiles relabel</command> is the equivalent of <command>make relabel</command>. During the relabeling, it will delete all of the files in <filename>/tmp</filename>, cleaning up files which may have old file context labels."
msgstr ""
#: en_US/selinux-faq.xml:2237(para)
msgid "Other commands are <command>fixfiles check</command>, which checks for mislabeled files, and <command>fixfiles restore</command>, which fixes the mislabeled files but does not delete the files in <filename>/tmp</filename>. The <command>fixfiles</command> command does not take a list of directories as an argument, because it relabels the entire file system. If you need to relabel a specific directory path, use <command>restorecon</command>."
msgstr ""
#: en_US/selinux-faq.xml:2251(para)
msgid "Why are some of my KDE applications having trouble under SELinux?"
msgstr ""
#: en_US/selinux-faq.xml:2256(para)
msgid "KDE executables always appear as <command>kdeinit</command>, which limits what can be done with SELinux policy. This is because every KDE application runs in the domain for <command>kdeinit</command>."
msgstr ""
#: en_US/selinux-faq.xml:2261(para)
msgid "Problems often arise when installing SELinux because it is not possible to relabel <filename>/tmp</filename> and <filename>/var/tmp</filename>. There is no good method of determining which file should have which context."
msgstr ""
#: en_US/selinux-faq.xml:2267(para)
msgid "The solution is to fully log out of KDE and remove all KDE temporary files:"
msgstr ""
#: en_US/selinux-faq.xml:2272(replaceable)
msgid "<username>"
msgstr ""
#: en_US/selinux-faq.xml:2273(replaceable)
msgid "<other_kde_files>"
msgstr ""
#: en_US/selinux-faq.xml:2272(command)
msgid "rm -rf /var/tmp/kdecache-<placeholder-1/> rm -rf /var/tmp/<placeholder-2/>"
msgstr ""
#: en_US/selinux-faq.xml:2275(para)
msgid "At your next login, your problem should be fixed."
msgstr ""
#: en_US/selinux-faq.xml:2282(para)
msgid "Why does <option>SELINUX=disabled</option> not work for me?"
msgstr ""
#: en_US/selinux-faq.xml:2287(para)
msgid "Be careful of white space in the file <filename>/etc/sysconfig/selinux</filename>. The code is very sensitive to white space, even trailing space."
msgstr ""
#: en_US/selinux-faq.xml:2296(para)
msgid "I have a process running as <computeroutput>unconfined_t</computeroutput>, and SELinux is still preventing my application from running."
msgstr ""
#: en_US/selinux-faq.xml:2303(para)
msgid "We have begun to confine the <computeroutput>unconfined_t</computeroutput> domain somewhat. SELinux restricts certain memory protection operation. Following is a list of those denials, as well as possible reasons and solutions for those denials. For more information on these restrictions, see <ulink url=\"http://people.redhat.com/drepper/selinux-mem.html\"/>."
msgstr ""
#: en_US/selinux-faq.xml:2312(para)
msgid "These show up in <filename>/var/log/messages</filename> (or <filename>/var/log/audit/audit.log</filename> if using the audit daemon) as avc denials. These can also show up when running programs with errors like"
msgstr ""
#: en_US/selinux-faq.xml:2320(computeroutput)
#, no-wrap
msgid "error while loading shared libraries: /usr/lib/libavutil.so.49:\ncannot restore segment prot after reloc: Permission denied"
msgstr ""
#: en_US/selinux-faq.xml:2323(para)
msgid "which indicates that the library is trying to perform a text relocation and failing. Text relocations are bad, but can be allowed via the first hint below. Below are the SELinux memory permissions that are denied, as well as hints at how to address these denials."
msgstr ""
#: en_US/selinux-faq.xml:2332(computeroutput)
#, no-wrap
msgid "execmod"
msgstr ""
#: en_US/selinux-faq.xml:2334(para)
msgid "This is usually based on a library label. You can permanently change the context on the library with the following commands"
msgstr ""
#: en_US/selinux-faq.xml:2340(computeroutput)
#, no-wrap
msgid "# /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.0.0'\n# /sbin/restorecon -v /usr/lib/libavutil.so.49.0.0"
msgstr ""
#: en_US/selinux-faq.xml:2343(para)
msgid "with the particular library at fault in place of <filename>/usr/lib/libavutil.so.49.0.0</filename>. Now your application should be able to run. Please report this as a bugzilla."
msgstr ""
#: en_US/selinux-faq.xml:2352(computeroutput)
#, no-wrap
msgid "execstack"
msgstr ""
#: en_US/selinux-faq.xml:2354(para)
msgid "Attempt to <command>execstack -c <replaceable>LIBRARY</replaceable></command>. Now try your application again. If the application now works, the library was mistakenly marked as requiring <computeroutput>execstack</computeroutput>. Please report this as a bugzilla."
msgstr ""
#: en_US/selinux-faq.xml:2365(computeroutput)
#, no-wrap
msgid "execmem, execheap"
msgstr ""
#: en_US/selinux-faq.xml:2367(para)
msgid "A boolean for each one of these memory check errors have been provided. So if you need to run an application requiring either of these permissions, you can set the boolean allow_exec* to fix the problem. For instance if you try to run an application and you get an AVC message containing an <computeroutput>execstack</computeroutput> failure. You can set the boolean with"
msgstr ""
#: en_US/selinux-faq.xml:2377(command)
msgid "setsebool -P allow_execstack=1"
msgstr ""
#: en_US/selinux-faq.xml:2386(para)
msgid "What do these rpm errors mean?"
msgstr ""
#: en_US/selinux-faq.xml:2406(computeroutput)
#, no-wrap
msgid "restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t\nrestorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t"
msgstr ""
#: en_US/selinux-faq.xml:2409(para)
msgid "During the update process, the selinux package runs restorecon on the difference between the previously install policy file_context and the newly install policy context. This maintains the correct file context on disk."
msgstr ""
#: en_US/selinux-faq.xml:2416(computeroutput)
#, no-wrap
msgid "libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in policy"
msgstr ""
#: en_US/selinux-faq.xml:2418(para)
msgid "This indicates that the updated policy has removed the boolean from policy."
msgstr ""
#: en_US/selinux-faq.xml:2426(para)
msgid "I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work?"
msgstr ""
#: en_US/selinux-faq.xml:2432(para)
msgid "You can use the <command>semanage</command> command to define additional ports. So say you want httpd to be able to listen on port 8082. You could enter the command."
msgstr ""
#: en_US/selinux-faq.xml:2438(command)
msgid "semanage port -a -p tcp -t http_port_t 8082"
msgstr ""
#: en_US/selinux-faq.xml:2444(para)
msgid "How do I add additional translations to my MCS/MLS system?"
msgstr ""
#: en_US/selinux-faq.xml:2449(para)
msgid "Translations are handled through libsemanage. Use <command>semanage translation -l</command> to list all current translations."
msgstr ""
#: en_US/selinux-faq.xml:2455(computeroutput)
#, no-wrap
msgid "# semanage translation -l\nLevel Translation\n\ns0\ns0-s0:c0.c255 SystemLow-SystemHigh\ns0:c0.c255 SystemHigh"
msgstr ""
#: en_US/selinux-faq.xml:2462(para)
msgid "Now pick an unused category. Say you wanted to add Payroll as a translation, and s0:c6 is unused."
msgstr ""
#: en_US/selinux-faq.xml:2467(computeroutput)
#, no-wrap
msgid "# semanage translation -a -T Payroll s0:c6\n# semanage translation -l\nLevel Translation\n\ns0\ns0-s0:c0.c255 SystemLow-SystemHigh\ns0:c0.c255 SystemHigh\ns0:c6 Payroll"
msgstr ""
#: en_US/selinux-faq.xml:2480(para)
msgid "I have setup my MCS/MLS translations, now I want to designate which users can read a given category?"
msgstr ""
#: en_US/selinux-faq.xml:2486(para)
msgid "You can modify the range of categories a user can login with by using <command>semanage</command>, as seen in this example."
msgstr ""
#: en_US/selinux-faq.xml:2491(computeroutput)
#, no-wrap
msgid "# semanage login -a -r s0-Payroll csellers\n# semanage login -l\n\nLogin Name SELinux User MLS/MCS Range \n\n__default__ user_u s0 \ncsellers user_u s0-Payroll \nroot root SystemLow-SystemHigh"
msgstr ""
#: en_US/selinux-faq.xml:2500(para)
msgid "In the above example, the user csellers was given access to the <computeroutput>Payroll</computeroutput> category with the first command, as indicated in the listing output from the second command."
msgstr ""
#: en_US/selinux-faq.xml:2510(para)
msgid "I am writing a php script that needs to create files and possibly execute them. SELinux policy is preventing this. What should I do?"
msgstr ""
#: en_US/selinux-faq.xml:2517(para)
msgid "First, you should never allow a system service to execute anything it can write. This gives an attacker the ability to upload malicious code to the server and then execute it, which is something we want to prevent."
msgstr ""
#: en_US/selinux-faq.xml:2523(para)
msgid "If you merely need to allow your script to create (non-executable) files, this is possible. That said, you should avoid having system applications writing to the <filename>/tmp</filename> directory, since users tend to use the <filename>/tmp</filename> directory also. It would be better to create a directory elsewhere which could be owned by the apache process and allow your script to write to it. You should label the directory <computeroutput>httpd_sys_script_rw_t</computeroutput>, which will allow apache to read and write files to that directory. This directory could be located anywhere that apache can get to (even <filename>$HOME/public_html/</filename>)."
msgstr ""
#: en_US/selinux-faq.xml:2540(para)
msgid "I am setting up swapping to a file, but I am seeing AVC messages in my log files?"
msgstr ""
#: en_US/selinux-faq.xml:2546(para)
msgid "You need to identify the swapfile to SELinux by setting its file context to <computeroutput>swapfile_t</computeroutput>."
msgstr ""
#: en_US/selinux-faq.xml:2551(replaceable)
msgid "SWAPFILE"
msgstr ""
#: en_US/selinux-faq.xml:2551(command)
msgid "chcon -t swapfile_t <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:2557(para)
msgid "Please explain the <computeroutput>relabelto</computeroutput>/<computeroutput>relabelfrom</computeroutput> permissions?"
msgstr ""
#: en_US/selinux-faq.xml:2564(para)
msgid "For files, <computeroutput>relabelfrom</computeroutput> means \"Can domain D relabel a file from (i.e. currently in) type T1?\" and <computeroutput>relabelto</computeroutput> means \"Can domain D relabel a file to type T2?\", so both checks are applied upon a file relabeling, where T1 is the original type of the type and T2 is the new type specified by the program."
msgstr ""
#: en_US/selinux-faq.xml:2572(para)
msgid "Useful documents to look at:"
msgstr ""
#: en_US/selinux-faq.xml:2577(para)
msgid "Object class and permission summary by Tresys <ulink url=\"http://tresys.com/selinux/obj_perms_help.shtml\"/>"
msgstr ""
#: en_US/selinux-faq.xml:2583(para)
msgid "Implementing SELinux as an LSM technical report (describes permission checks on a per-hook basis) <ulink url=\"http://www.nsa.gov/selinux/papers/module-abs.cfm\"/>. This is also available in the selinux-doc package (and more up-to-date there)."
msgstr ""
#: en_US/selinux-faq.xml:2592(para)
msgid "Integrating Flexible Support for Security Policies into the Linux Operating System - technical report (describes original design and implementation, including summary tables of classes, permissions, and what permission checks are applied to what system calls. It is not entirely up-to-date with current implementation, but a good resource nonetheless). <ulink url=\"http://www.nsa.gov/selinux/papers/slinux-abs.cfm\"/>"
msgstr ""
#: en_US/selinux-faq.xml:2608(title)
msgid "Deploying SELinux"
msgstr ""
#: en_US/selinux-faq.xml:2611(para)
msgid "What file systems can I use for SELinux?"
msgstr ""
#: en_US/selinux-faq.xml:2616(para)
msgid "The file system must support <computeroutput>xattr</computeroutput> labels in the right <parameter>security.*</parameter> namespace. In addition to ext2/ext3, XFS has recently added support for the necessary labels."
msgstr ""
#: en_US/selinux-faq.xml:2623(para)
msgid "Note that XFS SELinux support is broken in upstream kernel 2.6.14 and 2.6.15, but fixed (worked around) in 2.6.16. Your kernel must include this fix if you choose to use XFS with SELinux."
msgstr ""
#: en_US/selinux-faq.xml:2633(para)
msgid "How does SELinux impact system performance?"
msgstr ""
#: en_US/selinux-faq.xml:2638(para)
msgid "This is a variable that is hard to measure, and is heavily dependent on the tuning and usage of the system running SELinux. When performance was last measured, the impact was around 7% for completely untuned code. Subsequent changes in system components such as networking are likely to have made that worse in some cases. SELinux performance tuning continues to be a priority of the development team."
msgstr ""
#: en_US/selinux-faq.xml:2651(para)
msgid "What types of deployments, applications, and systems should I leverage SELinux in?"
msgstr ""
#: en_US/selinux-faq.xml:2657(para)
msgid "Initially, SELinux has been used on Internet facing servers that are performing a few specialized functions, where it is critical to keep extremely tight security. Administrators typically strip such a box of all extra software and services, and run a very small, focused set of services. A Web server or mail server is a good example."
msgstr ""
#: en_US/selinux-faq.xml:2665(para)
msgid "In these edge servers, you can lock down the policy very tightly. The smaller number of interactions with other components makes such a lock down easier. A dedicated system running a specialized third-party application would also be a good candidate."
msgstr ""
#: en_US/selinux-faq.xml:2671(para)
msgid "In the future, SELinux will be targeted at all environments. In order to achieve this goal, the community and <firstterm>independent software vendors</firstterm> (<abbrev>ISV</abbrev>s) must work with the SELinux developers to produce the necessary policy. So far, a very restrictive <firstterm>strict policy</firstterm> has been written, as well as a <firstterm>targeted policy</firstterm> that focuses on specific, vulnerable daemons."
msgstr ""
#: en_US/selinux-faq.xml:2681(para)
msgid "For more information about these policies, refer to <xref linkend=\"qa-whatis-policy\"/> and <xref linkend=\"qa-whatis-targeted-policy\"/>."
msgstr ""
#: en_US/selinux-faq.xml:2689(para)
msgid "How does SELinux affect third-party applications?"
msgstr ""
#: en_US/selinux-faq.xml:2694(para)
msgid "One goal of implementing a targeted SELinux policy in Fedora Core is to allow third-party applications to work without modification. The targeted policy is transparent to those unaddressed applications, and it falls back on standard Linux DAC security. These applications, however, will not be running in an extra-secure manner. You or another provider must write policy to protect these applications with MAC security."
msgstr ""
#: en_US/selinux-faq.xml:2703(para)
msgid "It is impossible to predict how every third-party application might behave with SELinux, even running the targeted policy. You may be able to fix issues that arise by changing the policy. You may find that SELinux exposes previously unknown security issues with your application. You may have to modify the application to work under SELinux."
msgstr ""
#: en_US/selinux-faq.xml:2711(para)
msgid "Note that with the addition of <xref linkend=\"faq-entry-whatare-policy-modules\"/>, it is now possible for third-party developers to include policy modules with their application. If you are a third-party developer or a package-maintainer, please consider including a policy module in your package. This will allow you to secure the behavior of your application with the power of SELinux for any user installing your package."
msgstr ""
#: en_US/selinux-faq.xml:2721(para)
msgid "One important value that Fedora Core testers and users bring to the community is extensive testing of third-party applications. With that in mind, please bring your experiences to the appropriate mailing list, such as the fedora-selinux list, for discussion. For more information about that list, refer to <ulink url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list/\"/>."
msgstr ""
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
#: en_US/selinux-faq.xml:0(None)
msgid "translator-credits"
msgstr ""
More information about the Fedora-docs-commits
mailing list