Author: pfrields
Update of /cvs/docs/selinux-faq/po
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6653/po
Added Files:
doc-entities.pot selinux-faq.pot
Log Message:
Add POT files for translator usage
--- NEW FILE doc-entities.pot ---
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2006-03-25 07:10-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL(a)li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#: en_US/doc-entities.xml:6(title)
msgid "These entities are absolutely essential in this document."
msgstr ""
#: en_US/doc-entities.xml:9(comment)
msgid "A per-document entity"
msgstr ""
#: en_US/doc-entities.xml:10(wordasword)
msgid "Per-document Entity"
msgstr ""
#: en_US/doc-entities.xml:14(comment)
msgid "Should match the name of this module"
msgstr ""
#: en_US/doc-entities.xml:15(text)
msgid "selinux-faq"
msgstr ""
#: en_US/doc-entities.xml:18(comment)
msgid "Last revision number, bump when you change the doc"
msgstr ""
#: en_US/doc-entities.xml:19(text)
msgid "1.5.2"
msgstr ""
#: en_US/doc-entities.xml:22(comment)
msgid "Last revision date, format YYYY-MM-DD"
msgstr ""
#: en_US/doc-entities.xml:23(text)
msgid "2006-03-24"
msgstr ""
#: en_US/doc-entities.xml:26(comment)
msgid "Same for every document"
msgstr ""
#: en_US/doc-entities.xml:27(text)
msgid "<use entity=\"DOCNAME\"/>-<use
entity=\"DOCVERSION\"/> (<use entity=\"DOCDATE\"/>)"
msgstr ""
#: en_US/doc-entities.xml:32(comment)
msgid "Useful pre-filled bug report; note the changes of the ampersand and percentage
characters to their entity equivalent."
msgstr ""
#: en_US/doc-entities.xml:35(text)
msgid
"https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora&percnt;20Documentation&amp;op_sys=Linux&amp;target_milestone=---&amp;bug_status=NEW&amp;version=devel&amp;component=selinux-faq&amp;rep_platform=All&amp;priority=normal&amp;bug_severity=normal&amp;assigned_to=kwade&percnt;40redhat.com&amp;cc=&amp;estimated_time_presets=0.0&amp;estimated_time=0.0&amp;bug_file_loc=http&percnt;3A&percnt;2F&percnt;2Ffedora.redhat.com&percnt;2Fdocs&percnt;2Fselinux-faq&percnt;2F&amp;short_desc=CHANGE&percnt;20TO&percnt;20A&percnt;20REAL&percnt;20SUMMARY&amp;comment=&percnt;5B&percnt;5B&percnt;20Description&percnt;20of&percnt;20change&percnt;2FFAQ&percnt;20addition.&percnt;20&percnt;20If&percnt;20a&percnt;20change&percnt;2C&percnt;20include&percnt;20the&percnt;20original&percnt;0D&percnt;0Atext&perc!
nt;20first&percnt;2C&percnt;20then&percnt;20the&percnt;20changed&percnt;20text&percnt;3A&percnt;20&percnt;5D&percnt;5D&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;5B&percnt;5B&percnt;20Version-Release&percnt;20of&percnt;20FAQ&percnt;20&percnt;0D&percnt;0A&percnt;28found&percnt;20on&percnt;0D&percnt;0Ahttp&percnt;3A&percnt;2F&percnt;2Ffedora.redhat.com&percnt;2Fdocs&percnt;2Fselinux-faq-fc5&percnt;2Fln-legalnotice.html&percnt;29&percnt;3A&percnt;0D&percnt;0A&percnt;0D&percnt;0A&percnt;20for&percnt;20example&percnt;3A&percnt;20&percnt;20selinux-faq-1.5.2&percnt;20&percnt;282006-03-20&percnt;29&amp;status_whiteboard=&amp;keywords=&amp;issuetrackers=&amp;dependson=&amp;blocked=&amp;ext_bz_id=0&amp;ext_bz_bug_id=&amp;data=&amp;descripti!
on=&amp;contenttypemethod=list&amp;contenttypeselectio!
n=text
p;percnt;2Fplain&amp;contenttypeentry=&amp;maketemplate=Remember&percnt;20values&percnt;20as&percnt;20bookmarkable&percnt;20template&amp;form_name=enter_bug"
msgstr ""
#: en_US/doc-entities.xml:38(comment)
msgid "Locally useful."
msgstr ""
#: en_US/doc-entities.xml:39(text)
msgid "Apache HTTP"
msgstr ""
#: en_US/doc-entities.xml:42(comment)
msgid "Set value to your choice, usefule for when guide version is out of sync with
FC release, use instead of FEDVER or FEDTESTVER"
msgstr ""
#: en_US/doc-entities.xml:45(text)
msgid "5"
msgstr ""
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
#: en_US/doc-entities.xml:0(None)
msgid "translator-credits"
msgstr ""
--- NEW FILE selinux-faq.pot ---
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2006-03-25 07:10-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL(a)li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#: en_US/selinux-faq.xml:16(fallback)
msgid "WHERE IS MY FDP-INFO, DUDE"
msgstr ""
#: en_US/selinux-faq.xml:20(title)
msgid "&SEL; Notes and FAQ"
msgstr ""
#: en_US/selinux-faq.xml:21(para)
msgid "The information in this FAQ is valuable for those who are new to &SEL;. It
is also valuable if you are new to the latest &SEL; implementation in &FC;, since
some of the behavior may be different than you have experienced."
msgstr ""
#: en_US/selinux-faq.xml:28(title)
msgid "This FAQ is specific to &FC;&LOCALVER;"
msgstr ""
#: en_US/selinux-faq.xml:29(para)
msgid "If you are looking for the FAQ for other versions of &FC;, refer to
<ulink
url=\"http://fedora.redhat.com/docs/selinux-faq/\"/>."
msgstr ""
#: en_US/selinux-faq.xml:34(para)
msgid "For more information about how &SEL; works, how to use &SEL; for
general and specific Linux distributions, and how to write policy, these resources are
useful:"
msgstr ""
#: en_US/selinux-faq.xml:40(title)
msgid "External Link List"
msgstr ""
#: en_US/selinux-faq.xml:42(para)
msgid "NSA &SEL; main website —<ulink
url=\"http://www.nsa.gov/selinux/\"/>"
msgstr ""
#: en_US/selinux-faq.xml:48(para)
msgid "NSA &SEL; FAQ —<ulink
url=\"http://www.nsa.gov/selinux/info/faq.cfm\"/>"
msgstr ""
#: en_US/selinux-faq.xml:54(para)
msgid "&SEL; community page —<ulink
url=\"http://selinux.sourceforge.net\"/>"
msgstr ""
#: en_US/selinux-faq.xml:60(para)
msgid "UnOfficial FAQ —<ulink
url=\"http://www.crypt.gen.nz/selinux/faq.html\"/>"
msgstr ""
#: en_US/selinux-faq.xml:66(para)
msgid "Writing traditional SE Linux policy HOWTO —<ulink
url=\"https://sourceforge.net/docman/display_doc.php?docid=21959&...
msgstr ""
#: en_US/selinux-faq.xml:73(para)
msgid "Reference Policy (the new policy found in &FC; 5) —<ulink
url=\"http://serefpolicy.sourceforge.net/\"/>"
msgstr ""
#: en_US/selinux-faq.xml:80(para)
msgid "SELinux policy development training courses —<ulink
url=\"http://tresys.com/services/training.shtml\"/> and <ulink
url=\"https://www.redhat.com/training/security/courses/rhs429.html\&...
msgstr ""
#: en_US/selinux-faq.xml:89(para)
msgid "Getting Started with SE Linux HOWTO: the new SE Linux (Debian)
—<ulink
url=\"https://sourceforge.net/docman/display_doc.php?docid=20372&...
msgstr ""
#: en_US/selinux-faq.xml:96(para)
msgid "List of SELinux object classes and permissions —<ulink
url=\"http://tresys.com/selinux/obj_perms_help.shtml\"/>"
msgstr ""
#: en_US/selinux-faq.xml:103(para)
msgid "On IRC —
irc.freenode.net, #fedora-selinux"
msgstr ""
#: en_US/selinux-faq.xml:108(para)
msgid "&FED; mailing list —<ulink
url=\"mailto:fedora-selinux-list@redhat.com\"/>; read the archives or
subscribe at <ulink
url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\&qu...
msgstr ""
#: en_US/selinux-faq.xml:117(title)
msgid "Making changes/additions to the &FED;&SEL; FAQ"
msgstr ""
#: en_US/selinux-faq.xml:118(para)
msgid "This FAQ is available at <ulink
url=\"http://fedora.redhat.com/docs/selinux-faq-fc5/\">http:...
msgstr ""
#: en_US/selinux-faq.xml:122(para)
msgid "For changes or additions to the &FED;&SEL; FAQ, use this <ulink
url=\"&BUG-URL;\">bugzilla template</ulink>, which pre-fills most
of the bug report. Patches should be a <command>diff -u</command> against the
XML, which is available from CVS (refer to <ulink
url=\"http://fedora.redhat.com/projects/docs/\"/> for details on obtaining
the fedora-docs/selinux-faq module from anonymous CVS; you can get just the
<filename>fedora-docs/selinux-faq</filename> module if you don't want the
entire <filename>fedora-dcs</filename> tree.) Otherwise, plain text showing
before and after is sufficient."
msgstr ""
#: en_US/selinux-faq.xml:133(para)
msgid "For a list of all bug reports filed against this FAQ, refer to <ulink
url=\"https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id...
msgstr ""
#: en_US/selinux-faq.xml:142(title)
msgid "Understanding &SEL;"
msgstr ""
#: en_US/selinux-faq.xml:145(para)
msgid "What is &SEL;?"
msgstr ""
#: en_US/selinux-faq.xml:150(para)
msgid "&SEL; (<firstterm>Security-Enhanced Linux</firstterm>) in
&FC; is an implementation of <firstterm>mandatory access
control</firstterm> in the Linux kernel using the <firstterm>Linux Security
Modules</firstterm> (<abbrev>LSM</abbrev>) framework. Standard Linux
security is a <firstterm>discretionary access control</firstterm>
model."
msgstr ""
#: en_US/selinux-faq.xml:160(term)
msgid "Discretionary access control (<abbrev>DAC</abbrev>)"
msgstr ""
#: en_US/selinux-faq.xml:162(para)
msgid "DAC is standard Linux security, and it provides no protection from broken
software or malware running as a normal user or root. Users can grant risky levels of
access to files they own."
msgstr ""
#: en_US/selinux-faq.xml:171(term)
msgid "Mandatory access control (<abbrev>MAC</abbrev>)"
msgstr ""
#: en_US/selinux-faq.xml:173(para)
msgid "MAC provides full control over all interactions of software. Administratively
defined policy closely controls user and process interactions with the system, and can
provide protection from broken software or malware running as any user."
msgstr ""
#: en_US/selinux-faq.xml:183(para)
msgid "In a DAC model, file and resource decisions are based solely on user identity
and ownership of the objects. Each user and program run by that user has complete
discretion over the user's objects. Malicious or flawed software can do anything with
the files and resources it controls through the user that started the process. If the user
is the super-user or the application is <command>setuid</command> or
<command>setgid</command> to root, the process can have root level control
over the entire file system."
msgstr ""
#: en_US/selinux-faq.xml:194(para)
msgid "A MAC system does not suffer from these problems. First, you can
administratively define a security policy over all processes and objects. Second, you
control all processes and objects, in the case of &SEL; through the kernel. Third,
decisions are based on all the security relevant information available, and not just
authenticated user identity."
msgstr ""
#: en_US/selinux-faq.xml:202(para)
msgid "MAC under &SEL; allows you to provide granular permissions for all
<firstterm>subjects</firstterm> (users, programs, processes) and
<firstterm>objects</firstterm> (files, devices). In practice, think of
subjects as processes, and objects as the target of a process operation. You can safely
grant a process only the permissions it needs to perform its function, and no more."
msgstr ""
#: en_US/selinux-faq.xml:210(para)
msgid "The &SEL; implementation uses <firstterm>role-based access
control</firstterm> (<abbrev>RBAC</abbrev>), which provides abstracted
user-level control based on roles, and <firstterm><trademark
class=\"registered\">Type Enforcement</trademark></firstterm>
(<abbrev>TE</abbrev>). TE uses a table, or
<firstterm>matrix</firstterm> to handle access controls, enforcing policy
rules based on the types of processes and objects. Process types are called
<firstterm>domains</firstterm>, and a cross-reference on the matrix of the
process's domain and the object's type defines their interaction. This system
provides extremely granular control for actors in a Linux system."
msgstr ""
#: en_US/selinux-faq.xml:228(para)
msgid "What is &SEL; policy?"
msgstr ""
#: en_US/selinux-faq.xml:233(para)
msgid "The &SEL; policy describes the access permissions for all subjects and
objects, that is, the entire system of users, programs, and processes and the files and
devices they act upon. &FC; policy is delivered in a package, with an associated
source package. Current shipping policy packages are:"
msgstr ""
#: en_US/selinux-faq.xml:242(replaceable) en_US/selinux-faq.xml:260(replaceable)
en_US/selinux-faq.xml:261(replaceable) en_US/selinux-faq.xml:262(replaceable)
msgid "<version>"
msgstr ""
#: en_US/selinux-faq.xml:242(filename)
msgid "selinux-policy-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:244(para)
msgid "This package is common to all types of policy and contains config files/man
pages. This includes the interface files for the development environment. This replaces
the -sources package from the past. This package contains the interface files used in
Reference Policy along with a Makefile and a small tool called
<command>policygentool</command> used to generate a policy template file. The
interface files reside in
<filename>/usr/share/selinux/devel/headers</filename> directory. If you want
to see all of the policy files used to build the Reference Policy you need to install the
src.rpm."
msgstr ""
#: en_US/selinux-faq.xml:260(filename)
msgid "selinux-policy-strict-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:261(filename)
msgid "selinux-policy-targeted-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:262(filename)
msgid "selinux-policy-mls-<placeholder-1/>.noarch.rpm"
msgstr ""
#: en_US/selinux-faq.xml:264(para)
msgid "Binary policy files are in
<filename>/etc/selinux/<replaceable>policyname</replaceable>/</filename>.
The policy for the types and domains is configured separately from security context for
the subjects and objects."
msgstr ""
#: en_US/selinux-faq.xml:274(para) en_US/selinux-faq.xml:329(para)
en_US/selinux-faq.xml:476(para) en_US/selinux-faq.xml:499(para)
msgid "More information on the different policies available in SELinux can be found
at <ulink
url=\"http://fedoraproject.org/wiki/SELinux/Policies\"/>."
msgstr ""
#: en_US/selinux-faq.xml:286(para)
msgid "What is the &SEL; targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:291(para)
msgid "When &SEL; was initially introduced in &FC;, it enforced the NSA
strict policy. For testing purposes, this effectively exposed hundreds of problems in the
strict policy. In addition, it demonstrated that applying a single strict policy to the
many environments of &FED; users was not feasible. To manage a single strict policy
for anything other than default installation would require local expertise."
msgstr ""
#: en_US/selinux-faq.xml:300(para)
msgid "At this point, the &SEL; developers reviewed their choices, and decided to
try a different strategy. They decided to create a
<firstterm>targeted</firstterm> policy that locks down specific daemons,
especially those vulnerable to attack or which could devastate a system if broken or
compromised. The rest of the system runs exactly as it would under standard Linux DAC
security."
msgstr ""
#: en_US/selinux-faq.xml:308(para)
msgid "Under the targeted policy, most processes run in the
<computeroutput>unconfined_t</computeroutput> domain. As the name implies,
these processes are mostly unconfined by the &SEL; policy. They are still governed by
standard Linux DAC security, however."
msgstr ""
#: en_US/selinux-faq.xml:315(para)
msgid "Those network daemons which are addressed in the targeted policy make a
transition to the targeted policy when the application starts. For example, at system
boot, <command>init</command> runs under the
<computeroutput>unconfined_t</computeroutput> policy. When
<command>named</command> starts, it makes a transition to the
<computeroutput>named_t</computeroutput> domain and is locked down by the
appropriate policy."
msgstr ""
#: en_US/selinux-faq.xml:324(para)
msgid "For more information on enabling or disabling targeted policy on each of the
specific daemons, refer to <xref
linkend=\"qa-using-s-c-securitylevel\"/>."
msgstr ""
#: en_US/selinux-faq.xml:338(para)
msgid "What programs are protected by the targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:343(para)
msgid "Currently, the list of programs is approximately:"
msgstr ""
#: en_US/selinux-faq.xml:346(para)
msgid "<filename>accton</filename>,
<filename>amanda</filename>, <filename>httpd</filename> (apache),
<filename>arpwatch</filename>, <filename>pam</filename>,
<filename>automount</filename>, <filename>avahi</filename>,
<filename>named</filename>, <filename>bluez</filename>,
<filename>lilo</filename>, <filename>grub</filename>,
<filename>canna</filename>, <filename>comsat</filename>,
<filename>cpucontrol</filename>, <filename>cpuspeed</filename>,
<filename>cups</filename>, <filename>cvs</filename>,
<filename>cyrus</filename>, <filename>dbskkd</filename>,
<filename>dbus</filename>, <filename>dhcpd</filename>,
<filename>dictd</filename>, <filename>dmidecode</filename>,
<filename>dovecot</filename>, <filename>fetchmail</filename>,
<filename>fingerd</filename>, <filename>ftpd</filename> (vsftpd,
proftpd, and muddleftpd), <filename>gpm</filename>,
<filename>hald</filename>, <filename>hotplug</filename>,
<filename>howl</filename>, <filename>innd</filename>,
<filename>kerberos</file!
name>, <filename>ktalkd</filename>,
<filename>openldap</filename>, <filename>auditd</filename>,
<filename>syslog</filename>, <filename>logwatch</filename>,
<filename>lpd</filename>, <filename>lvm</filename>,
<filename>mailman</filename>,
<filename>module-init-tools</filename>,
<filename>mount</filename>, <filename>mysql</filename>,
<filename>NetworkManager</filename>, <filename>NIS</filename>,
<filename>nscd</filename>, <filename>ntp</filename>,
<filename>pegasus</filename>, <filename>portmap</filename>,
<filename>postfix</filename>, <filename>postgresql</filename>,
<filename>pppd</filename>, <filename>pptp</filename>,
<filename>privoxy</filename>, <filename>procmail</filename>,
<filename>radiusd</filename>, <filename>radvd</filename>,
<filename>rlogin</filename>, <filename>nfs</filename>,
<filename>rsync</filename>, <filename>samba</filename>,
<filename>saslauthd</filename>, <filename>snmpd</filename>,
<filename>spamd</filename>, <filename>squid</filename>,
<filename>stunn!
el</filename>, <filename>dhcpc</filename>,
<filename>ifconfig<!
/filen
, <filename>sysstat</filename>, <filename>tcp
wrappers</filename>, <filename>telnetd</filename>,
<filename>tftpd</filename>, <filename>updfstab</filename>,
<filename>user management</filename> (passwd, useradd, etc.),
<filename>crack</filename>, <filename>uucpd</filename>,
<filename>vpnc</filename>, <filename>webalizer</filename>,
<filename>xend</filename>, <filename>xfs</filename>,
<filename>zebra</filename>"
msgstr ""
#: en_US/selinux-faq.xml:459(para)
msgid "What about the strict policy? Does it even work?"
msgstr ""
#: en_US/selinux-faq.xml:464(para)
msgid "The strict policy <emphasis>does</emphasis> work on &FC;. It
is challenged by the unique environments of different users. To use the strict policy in
your environment, you may need to fine-tune both the policy and your systems."
msgstr ""
#: en_US/selinux-faq.xml:470(para)
msgid "To make the strict policy easier to use, &SEL; developers have tried to
make the change from one policy to the other easier. For example,
<command>system-config-securitylevel</command> builds a relabel into the
startup scripts."
msgstr ""
#: en_US/selinux-faq.xml:485(para)
msgid "What is the mls policy? Who is it for?"
msgstr ""
#: en_US/selinux-faq.xml:490(para)
msgid "The mls policy is similar to the strict policy, but adds an additional field
to security contexts for separating levels. &SEL; can use these levels to separate
data in an environment that calls for strict hierarchical separation. A typical example is
a military setting, where data is classified at a certain level. This policy is geared
toward this sort of environment, and is probably not useful to you unless you fall into
this category."
msgstr ""
#: en_US/selinux-faq.xml:508(para)
msgid "What is the Reference Policy?"
msgstr ""
#: en_US/selinux-faq.xml:513(para)
msgid "The <firstterm>Reference Policy</firstterm> is a new project
maintained by Tresys Technology (<ulink
url=\"http://www.tresys.com/\"/>)
designed to rewrite the entire SELinux policy in a way that is easier to use and
understand. To do this, it uses the concepts of modularity, abstraction, and well-defined
interfaces. Refer to <ulink
url=\"http://serefpolicy.sourceforge.net/\"/>
for more information on the Reference Policy."
msgstr ""
#: en_US/selinux-faq.xml:524(para)
msgid "Note that Reference Policy is not a new type of policy, like targeted or
strict. Rather, it is a new base that policies can be built from. Targeted, strict, and
mls policies can all be built from Reference Policy. In fact, one of the design goals of
Reference Policy is to have a single unified source tree for the different policy
variants."
msgstr ""
#: en_US/selinux-faq.xml:532(para)
msgid "Fedora policies at version 1.x are based on the traditional example policy.
Version 2.x policies (as used in &FC;&LOCALVER;) are based on the Reference
Policy."
msgstr ""
#: en_US/selinux-faq.xml:541(para)
msgid "What are file contexts?"
msgstr ""
#: en_US/selinux-faq.xml:546(para)
msgid "<firstterm>File contexts</firstterm> are used by the
<command>setfiles</command> command to generate persistent labels which
describe the security context for a file or directory."
msgstr ""
#: en_US/selinux-faq.xml:551(para)
msgid "&FC; ships with the <command>fixfiles</command> script, which
supports three options: <option>check</option>,
<option>restore</option>, and <option>relabel</option>. This
script allows users to relabel the file system without having the
<filename>selinux-policy-targeted-sources</filename> package installed. The
command line usage is more friendly than the standard
<command>setfiles</command> command."
msgstr ""
#: en_US/selinux-faq.xml:564(para)
msgid "How do I view the security context of a file, user, or process?"
msgstr ""
#: en_US/selinux-faq.xml:569(para)
msgid "The new option <option>-Z</option> is the short method for
displaying the context of a subject or object:"
msgstr ""
#: en_US/selinux-faq.xml:574(replaceable)
msgid "file.foo"
msgstr ""
#: en_US/selinux-faq.xml:574(command)
msgid "ls -alZ <placeholder-1/> id -Z ps -eZ"
msgstr ""
#: en_US/selinux-faq.xml:582(para)
msgid "What is the difference between a <firstterm>domain</firstterm> and
a <firstterm>type</firstterm>?"
msgstr ""
#: en_US/selinux-faq.xml:588(para)
msgid "There is no difference between a domain and a type, although domain is
sometimes used to refer to the type of a process. The use of domain in this way stems from
Domain and Type Enforcement (DTE) models, where domains and types are separate."
msgstr ""
#: en_US/selinux-faq.xml:598(para)
msgid "What are policy modules?"
msgstr ""
#: en_US/selinux-faq.xml:603(para)
msgid "Prior to &FC; 5, SELinux policies were monolithic, meaning that they were
compiled into a single policy binary. To make changes or additions to that policy, an
administrator had to change out the entire policy. With &FC; 5, the policy is now
modular. This means that third party developers can ship policy modules with their
applications, and then they can be added to the policy without having to switch out the
entire policy in much the same way that kernel modules can add funcationality to the
kernel without having to reboot the entire system."
msgstr ""
#: en_US/selinux-faq.xml:614(para)
msgid "This actually works by separating out compile and link steps in the policy
build procedure. Policy modules are compiled from source, and linked when installed into
the module store (see <xref
linkend=\"faq-entry-whatis-managed-policy\"/>). This linked policy is then
loaded into the kernel for enforcement."
msgstr ""
#: en_US/selinux-faq.xml:621(para)
msgid "The primary command for dealing with modules is
<command>semodule</command>, which will let you perform basic functions such
as installing, upgrading, or removing modules. Modules are usually stored as policy
package file (.pp extension) in
<filename>/usr/share/selinux/<replaceable>policyname</replaceable>/</filename>.
There you should at least find the base.pp, which is the base module."
msgstr ""
#: en_US/selinux-faq.xml:635(para)
msgid "What is managed policy?"
msgstr ""
#: en_US/selinux-faq.xml:640(para)
msgid "Prior to &FC; 5, SELinux policies were handled as user-editable config
files in etc. Unfortunately, this made it difficult to address many of the usability
issues arising with SELinux. So, a new libraray,
<filename>libsemanage</filename>, was added to provide userspace tools an
interface to making policy management easier. All policy management should use this
library to access the policy store. The policy store holds all the policy information, and
is found at
<filename>/etc/selinux/<replaceable>policyname</replaceable>/</filename>."
msgstr ""
#: en_US/selinux-faq.xml:651(para)
msgid "You should never have to edit the store directly. Instead, you should use
tools that link against libsemanage. One example tool is
<command>semanage</command>, which is a command line tool for managing much of
the policy such as SELinux user mappings, SELinux port mappings, and file contexts
entries. Other graphical tools are currently being developed as well."
msgstr ""
#: en_US/selinux-faq.xml:663(title)
msgid "Controlling &SEL;"
msgstr ""
#: en_US/selinux-faq.xml:666(para)
msgid "How do I install/not install &SEL;?"
msgstr ""
#: en_US/selinux-faq.xml:671(para)
msgid "The installer follows the choice you make in the <guilabel>Firewall
Configuration</guilabel> screen. The default running policy is the targeted policy,
and it is on by default."
msgstr ""
#: en_US/selinux-faq.xml:680(para)
msgid "How do I switch the policy I am currently using?"
msgstr ""
#: en_US/selinux-faq.xml:686(title)
msgid "Use caution when switching policy"
msgstr ""
#: en_US/selinux-faq.xml:687(para)
msgid "Other than trying out a new policy on a test machine for research purposes,
you should seriously consider your situation before switching to a different policy on a
production system. The act of switching is straightforward. This method is fairly safe,
but you should try it first on a test system."
msgstr ""
#: en_US/selinux-faq.xml:695(para)
msgid "To use the automated method, run the <application>Security Level
Configuration</application> tool. From the GUI Main Menu, select
<menuchoice><guimenu>Desktop</guimenu><guisubmenu>System
Settings</guisubmenu><guimenuitem>Security
level</guimenuitem></menuchoice>, or from a terminal, run
<command>system-config-securitylevel</command>. Change the policy as desired
and ensure that the <guilabel>Relabel on next reboot</guilabel> option is
enaled."
msgstr ""
#: en_US/selinux-faq.xml:707(para)
msgid "You can also perform these steps manually with the following procedure:"
msgstr ""
#: en_US/selinux-faq.xml:713(para)
msgid "Edit <filename>/etc/selinux/config</filename> and change the type
and the mode of policy:"
msgstr ""
#: en_US/selinux-faq.xml:718(replaceable)
msgid "policyname"
msgstr ""
#: en_US/selinux-faq.xml:718(userinput)
#, no-wrap
msgid "SELINUXTYPE=<placeholder-1/>\nSELINUX=permissive"
msgstr ""
#: en_US/selinux-faq.xml:721(para)
msgid "This step ensures you will not be locked out after rebooting. &SEL; will
run under the correct policy, but will allow you to login if there is a problem such as
incorrect file context labeling."
msgstr ""
#: en_US/selinux-faq.xml:729(para)
msgid "Set the system to relabel the file system on reboot:"
msgstr ""
#: en_US/selinux-faq.xml:733(command)
msgid "touch /.autorelabel"
msgstr ""
#: en_US/selinux-faq.xml:737(para)
msgid "Reboot the system. A clean restart under the new policy allows all system
processes to be started in the proper context, and reveals any problems in the policy
change."
msgstr ""
#: en_US/selinux-faq.xml:744(para)
msgid "Confirm your changes took effect with the following command:"
msgstr ""
#: en_US/selinux-faq.xml:748(command)
msgid "sestatus -v"
msgstr ""
#: en_US/selinux-faq.xml:750(para)
msgid "With the new system running in
<computeroutput>permissive</computeroutput> mode, check
<filename>/var/log/messages</filename> for <computeroutput>avc:
denied</computeroutput> messages. These may indicate a problem that needs to be
solved for the system to run without trouble under the new policy."
msgstr ""
#: en_US/selinux-faq.xml:760(para)
msgid "When you are satisfied that the system runs stable under the new policy,
enable enforcing by changing
<computeroutput>SELINUX=enforcing</computeroutput>. You can either reboot or
run <command>setenforce 1</command> to turn enforcing on in real time."
msgstr ""
#: en_US/selinux-faq.xml:773(para)
msgid "How can I back up files from an &SEL; file system?"
msgstr ""
#: en_US/selinux-faq.xml:778(para)
msgid "Use the <command>star</command> utility, which supports the
extended attributes that store the security context labels. Specify the
<option>-xattr</option> and <option>-H=exustar</option> options
when creating archives."
msgstr ""
#: en_US/selinux-faq.xml:785(command)
msgid "ls -Z /var/log/maillog"
msgstr ""
#: en_US/selinux-faq.xml:787(command)
msgid "cd /var/log star -xattr -H=exustar -c -f maillog.star ./maillog*"
msgstr ""
#: en_US/selinux-faq.xml:784(screen)
#, no-wrap
msgid "\n<placeholder-1/>\n-rw------- root root
system_u:object_r:var_log_t /var/log/maillog\n<placeholder-2/>\n"
msgstr ""
#: en_US/selinux-faq.xml:791(title)
msgid "Absolute paths can overwrite existing data"
msgstr ""
#: en_US/selinux-faq.xml:792(para)
msgid "If you use an absolute path, such as
<filename>/var/log/maillog</filename>, when you unpack the archive with
<command>star -c -f</command>, the files will be restored on the same path
they were archived with. The <filename>maillog</filename> file will attempt to
write to <filename>/var/log/maillog</filename>. You should received a warning
from <command>star</command> if the files about to be overwritten have a later
date, but you cannot rely on this behavior."
msgstr ""
#: en_US/selinux-faq.xml:803(para)
msgid "Consider carefully how you construct your archiving argument."
msgstr ""
#: en_US/selinux-faq.xml:811(para)
msgid "How can I install the strict policy by default with kickstart?"
msgstr ""
#: en_US/selinux-faq.xml:818(para)
msgid "Under the <computeroutput>%packages</computeroutput> section, add
<filename>selinux-policy-strict</filename>."
msgstr ""
#: en_US/selinux-faq.xml:824(para)
msgid "Under the <computeroutput>%post</computeroutput> section, add the
following:"
msgstr ""
#: en_US/selinux-faq.xml:829(computeroutput)
#, no-wrap
msgid "lokkit -q --selinuxtype=strict\ntouch /.autorelabel"
msgstr ""
#: en_US/selinux-faq.xml:838(para)
msgid "How do I enable/disable &SEL; protection on specific daemons under the
targeted policy?"
msgstr ""
#: en_US/selinux-faq.xml:844(para)
msgid "Use <command>system-config-securitylevel</command>, also known as
the <application>Security Level Configuration</application> graphical tool, to
control the Boolean values of specific daemons. For example, if you need to disable
&SEL; for Apache to run correctly in your environment, you can disable the value in
<command>system-config-securitylevel</command>. This change disables the
transition to the policy defined in <filename>apache.te</filename>, allowing
<command>httpd</command> to remain under regular Linux DAC security."
msgstr ""
#: en_US/selinux-faq.xml:860(para)
msgid "How do I make a user <filename>public_html</filename> directory
work under &SEL;?"
msgstr ""
#: en_US/selinux-faq.xml:866(para)
msgid "This process presumes that you have enabled user public HTML directories in
your Apache configuration file,
<filename>/etc/httpd/conf/httpd.conf</filename>. This process only covers
serving static Web content. For more information about &APACHE; and &SEL;, refer
to <ulink
url=\"http://fedora.redhat.com/docs/selinux-apache-fc3/\"/>....
msgstr ""
#: en_US/selinux-faq.xml:876(para)
msgid "If you do not already have a <filename>~/public_html</filename>
directory, create it and populate it with the files and folders to be served."
msgstr ""
#: en_US/selinux-faq.xml:882(userinput)
#, no-wrap
msgid "cd ~\nmkdir public_html\ncp /path/to/content ~/public_html"
msgstr ""
#: en_US/selinux-faq.xml:888(para)
msgid "At this point, <command>httpd</command> is configured to serve the
contents, but you will still receive a <computeroutput>403\n\t\t
forbidden</computeroutput> error. This is because
<command>httpd</command> is not allowed to read the security type for the
directory and files as they are created in the user's home directory. Change the
security context of the folder and its contents recursively using the
<option>-R</option> option:"
msgstr ""
#: en_US/selinux-faq.xml:899(userinput)
#, no-wrap
msgid "ls -Z -d public_html/"
msgstr ""
#: en_US/selinux-faq.xml:900(computeroutput)
#, no-wrap
msgid "drwxrwxr-x auser auser user_u:object_r:user_home_t
public_html"
msgstr ""
#: en_US/selinux-faq.xml:901(userinput)
#, no-wrap
msgid "chcon -R -t httpd_user_content_t public_html/\nls -Z -d public_html/"
msgstr ""
#: en_US/selinux-faq.xml:903(computeroutput)
#, no-wrap
msgid "drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t
public_html/"
msgstr ""
#: en_US/selinux-faq.xml:904(userinput)
#, no-wrap
msgid "ls -Z public_html/"
msgstr ""
#: en_US/selinux-faq.xml:905(computeroutput)
#, no-wrap
msgid "-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t
bar.html\n-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t
baz.html\n-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t
foo.html"
msgstr ""
#: en_US/selinux-faq.xml:909(para)
msgid "You may notice at a later date that the user field, set here to
<computeroutput>user_u</computeroutput>, is changed to
<computeroutput>system_u</computeroutput>. This does not affect how the
targeted policy works. The field that matters is the type field."
msgstr ""
#: en_US/selinux-faq.xml:918(para)
msgid "Your static webpages should now be served correctly. If you continue to have
errors, ensure that the Boolean which enables user home directories is enabled. You can
set it using <command>system-config-securitylevel</command>. Select the
<guilabel>&SEL;</guilabel> tab, and then select the <guilabel>Modify
&SEL; Policy</guilabel> area. Select <computeroutput>Allow HTTPD to read
home\n\t\t directories</computeroutput>. The changes take effect
immediately."
msgstr ""
#: en_US/selinux-faq.xml:935(para)
msgid "How do I turn &SEL; off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:940(para)
msgid "Set <computeroutput>SELINUX=disabled</computeroutput> in
<filename>/etc/selinux/config</filename>."
msgstr ""
#: en_US/selinux-faq.xml:944(para)
msgid "Alternatively, you can add <option>selinux=0</option> to your
kernel boot parameters. However, this option is not recommended."
msgstr ""
#: en_US/selinux-faq.xml:949(title)
msgid "Be careful when disabling &SEL;"
msgstr ""
#: en_US/selinux-faq.xml:950(para)
msgid "If you boot with <option>selinux=0</option>, any files you create
while &SEL; is disabled will not have &SEL; context information. The file system
will be marked for relabeling at the next boot. If an unforeseen problem prevents you from
rebooting normally, you may need to boot in single-user mode for recovery. Add the option
<option>emergency</option> to your kernel boot parameters."
msgstr ""
#: en_US/selinux-faq.xml:964(para)
msgid "How do I turn enforcing on/off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:969(para)
msgid "You can specify the &SEL; mode using the configuration file
<filename>/etc/sysconfig/selinux</filename>."
msgstr ""
#: en_US/selinux-faq.xml:974(computeroutput)
#, no-wrap
msgid "# This file controls the state of SELinux on the system.\n# SELINUX= can take
one of these three values:\n# enforcing - SELinux security policy is enforced.\n#
permissive - SELinux prints warnings instead of enforcing.\n# disabled - No
SELinux policy is loaded."
msgstr ""
#: en_US/selinux-faq.xml:979(replaceable)
msgid "enforcing"
msgstr ""
#: en_US/selinux-faq.xml:980(computeroutput)
#, no-wrap
msgid "# SELINUXTYPE= type of policy in use. Possible values are:\n# targeted -
Only targeted network daemons are protected.\n# strict - Full SELinux
protection."
msgstr ""
#: en_US/selinux-faq.xml:983(replaceable)
msgid "targeted"
msgstr ""
#: en_US/selinux-faq.xml:973(screen)
#, no-wrap
msgid
"\n<placeholder-1/>\nSELINUX=<userinput><placeholder-2/></userinput>\n<placeholder-3/>\nSELINUXTYPE=<userinput><placeholder-4/></userinput>\n"
msgstr ""
#: en_US/selinux-faq.xml:985(para)
msgid "Setting the value to <computeroutput>enforcing</computeroutput> is
the same as adding <option>enforcing=1</option> to the kernel boot parameters.
Setting the value to <computeroutput>permissive</computeroutput> is the same
as adding <option>enforcing=0</option> to the kernel boot parameters."
msgstr ""
#: en_US/selinux-faq.xml:992(para)
msgid "However, setting the value to
<computeroutput>disabled</computeroutput> is not the same as the
<option>selinux=0</option> kernel boot parameter. Rather than fully disabling
&SEL; in the kernel, the <computeroutput>disabled</computeroutput> setting
instead turns enforcing off and skips loading a policy."
msgstr ""
#: en_US/selinux-faq.xml:1001(title)
msgid "&SEL; Configuration Precedence"
msgstr ""
#: en_US/selinux-faq.xml:1002(para)
msgid "The command line kernel parameter overrides the configuration file."
msgstr ""
#: en_US/selinux-faq.xml:1011(para)
msgid "How do I temporarily turn off enforcing mode without having to reboot?"
msgstr ""
#: en_US/selinux-faq.xml:1017(para)
msgid "Occasionally you may need to perform an action that is normally prevented by
policy. Run the command <command>setenforce 0</command> to turn off enforcing
mode in real time. When you are finished, run <command>setenforce 1</command>
to turn enforcing back on."
msgstr ""
#: en_US/selinux-faq.xml:1025(title)
msgid "<computeroutput>sysadm_r</computeroutput> Role Required for strict
policy"
msgstr ""
#: en_US/selinux-faq.xml:1027(para)
msgid "You must issue the <command>setenforce</command> command with the
<computeroutput>sysadm_r</computeroutput> role if you are using strict policy.
If you are using the standard targeted policy, then this is not necessary. Use the
<command>newrole</command> command to assume this role."
msgstr ""
#: en_US/selinux-faq.xml:1039(para)
msgid "How do I turn system call auditing on/off at boot?"
msgstr ""
#: en_US/selinux-faq.xml:1044(para)
msgid "Add <option>audit=1</option> to your kernel command line to turn
system call auditing on. Add <option>audit=0</option> to your kernel command
line to turn system call auditing off."
msgstr ""
#: en_US/selinux-faq.xml:1049(para)
msgid "System-call auditing is <emphasis>on</emphasis> by default. When
on, it provides information about the system call that was executing when SELinux
generated a <computeroutput>denied</computeroutput> message. The error message
is helpful when debugging policy."
msgstr ""
#: en_US/selinux-faq.xml:1060(para)
msgid "How do I temporarily turn off system-call auditing without having to
reboot?"
msgstr ""
#: en_US/selinux-faq.xml:1066(para)
msgid "Run <command>auditctl -e 0</command>. Note that this command will
not affect auditing of SELinux AVC denials."
msgstr ""
#: en_US/selinux-faq.xml:1074(para)
msgid "How do I get status info about my &SEL; installation?"
msgstr ""
#: en_US/selinux-faq.xml:1079(para)
msgid "As root, execute the command <command>/usr/sbin/sestatus
-v</command>. For more information, refer to the
<filename>sestatus(8)</filename> manual page."
msgstr ""
#: en_US/selinux-faq.xml:1088(para)
msgid "How do I write policy to allow a domain to use pam_unix.so?"
msgstr ""
#: en_US/selinux-faq.xml:1093(para)
msgid "Very few domains in the SELinux world are allowed to read the
<filename>/etc/shadow</filename> file. There are constraint rules that prevent
policy writers from writing code like"
msgstr ""
#: en_US/selinux-faq.xml:1099(command)
msgid "allow mydomain_t shadow_t:file read;"
msgstr ""
#: en_US/selinux-faq.xml:1101(para)
msgid "In RHEL4 you can setup your domain to use the
<command>unix_chkpwd</command> command. The easiest way is to use the
<command>unix_chkpwd</command> attribute. So if you were writing policy for an
ftpd daemon you would write something like"
msgstr ""
#: en_US/selinux-faq.xml:1108(command)
msgid "daemon_domain(vsftpd, `auth_chkpwd')"
msgstr ""
#: en_US/selinux-faq.xml:1110(para)
msgid "This would create a context where vsftpd_t -> chkpwd_exec_t ->
system_chkpwd_t which can read <filename>/etc/shadow</filename>, while
vsftpd_t is not able to read it."
msgstr ""
#: en_US/selinux-faq.xml:1116(para)
msgid "In &FC;&LOCALVER;/RHEL5, add the rule"
msgstr ""
#: en_US/selinux-faq.xml:1120(command)
msgid "auth_domtrans_chk_passwd(vsftpd_t)"
msgstr ""
#: en_US/selinux-faq.xml:1126(para)
msgid "In the past I have written local.te file in policy sources for my own local
customization to policy, how do I do this with Reference Policy?"
msgstr ""
#: en_US/selinux-faq.xml:1133(para)
msgid "If you have specific AVC messages you can use
<command>audit2allow</command> to generate a Type Enforcement file that is
ready to load as a policy module."
msgstr ""
#: en_US/selinux-faq.xml:1140(command)
msgid "audit2allow -M local < /tmp/avcs"
msgstr ""
#: en_US/selinux-faq.xml:1142(para)
msgid "This will create a <filename>local.pp</filename> which you can
then load into the kernel using <command>semodule -i local.pp</command>. You
can also edit the <filename>local.te</filename> to make additional
customizations."
msgstr ""
#: en_US/selinux-faq.xml:1150(computeroutput)
#, no-wrap
msgid "audit2allow -M local -l -i /var/log/messages\nGenerating type enforcment file:
local.te\nCompiling policy\ncheckmodule -M -m -o local.mod local.te\nsemodule_package -o
local.pp -m local.mod\n\n******************** IMPORTANT ***********************\n\nIn
order to load this newly created policy package into the kernel,\nyou are required to
execute\n\nsemodule -i local.pp"
msgstr ""
#: en_US/selinux-faq.xml:1163(para)
msgid "Note that the above assumes you are not using the audit daemon. If you were
using the audit daemon, then you should use
<filename>/var/log/audit/audit.log</filename> instead of
<filename>/var/log/messages</filename> as your log file. This will generate a
<filename>local.te</filename> file, that looks something like the
following:"
msgstr ""
#: en_US/selinux-faq.xml:1172(computeroutput)
#, no-wrap
msgid "module local 1.0;\n\nrequire {\n class file { append execute
execute_no_trans getattr ioctl read write };\n type httpd_t;\n type
httpd_w3c_script_exec_t;\n };\n\n\nallow httpd_t httpd_w3c_script_exec_t:file { execute
execute_no_trans getattr ioctl read };"
msgstr ""
#: en_US/selinux-faq.xml:1183(para)
msgid "You can hand edit this file and then recompile and reload it using"
msgstr ""
#: en_US/selinux-faq.xml:1189(para)
msgid "<command>checkmodule</command> to compile the te file"
msgstr ""
#: en_US/selinux-faq.xml:1194(para)
msgid "<command>semodule_package</command> to create a policy
package"
msgstr ""
#: en_US/selinux-faq.xml:1199(para)
msgid "<command>semodule</command> to add it to the current machines
running policy"
msgstr ""
#: en_US/selinux-faq.xml:1205(title)
msgid "Important"
msgstr ""
#: en_US/selinux-faq.xml:1206(para)
msgid "In order to load this newly created policy package into the kernel, you are
required to execute <command>semodule -i local.pp</command>"
msgstr ""
#: en_US/selinux-faq.xml:1216(para)
msgid "I created a new Policy Package where do I put it to make sure that it gets
loaded into the kernel?"
msgstr ""
#: en_US/selinux-faq.xml:1222(para)
msgid "All you need to do execute the <command>semodule -i
myapp.pp</command> command. This modifies the policy that is stored on the machine.
Everytime for now on your policy module will get loaded with the rest of the policy. You
can even remove the pp file from the system."
msgstr ""
#: en_US/selinux-faq.xml:1230(para)
msgid "<command>semodule -l</command> will list the currently loaded
modules."
msgstr ""
#: en_US/selinux-faq.xml:1235(computeroutput)
#, no-wrap
msgid "#semodule -i \nmyapp 1.2.1"
msgstr ""
#: en_US/selinux-faq.xml:1238(para)
msgid "If you later would like to remove the policy package, you can execute
<command>semodule -r myapp</command>."
msgstr ""
#: en_US/selinux-faq.xml:1246(title)
msgid "Resolving Problems"
msgstr ""
#: en_US/selinux-faq.xml:1249(para)
msgid "My application isn't working as expected and I am seeing
<computeroutput>avc: denied</computeroutput> messages. How do I fix
this?"
msgstr ""
#: en_US/selinux-faq.xml:1256(para)
msgid "This message means that the current SELinux policy is not allowing the
application to do something. There are a number of reasons this could happen."
msgstr ""
#: en_US/selinux-faq.xml:1261(para)
msgid "First, one of the files the application is trying to access could be
mislabeled. If the AVC message refers to a specific file, inspect its current label with
<command>ls -alZ
<replaceable>/path/to/file</replaceable></command>. If it seems wrong,
use the command <command>restorecon -v
<replaceable>/path/to/file</replaceable></command> to restore the
file's default context. If you have a large number of denials related to files, you
may want to use <command>fixfiles relabel</command>, or run
<command>restorecon -R <replaceable>/path</replaceable></command>
to recursively relabel a directory path."
msgstr ""
#: en_US/selinux-faq.xml:1274(para)
msgid "Denials are sometimes due to a configuration change in the program that
triggered the denial message. For example, if you change Apache to also listen on port
8800, you must also change the security policy,
<filename>apache.te</filename>. Refer to <xref
linkend=\"external-link-list\"/> for more information about writing
policy."
msgstr ""
#: en_US/selinux-faq.xml:1282(para)
msgid "If you are having trouble getting a specific application like Apache to work,
refer to <xref linkend=\"qa-using-s-c-securitylevel\"/> for information on
disabling enforcement just for that application."
msgstr ""
#: en_US/selinux-faq.xml:1314(para)
msgid "I installed &FC; on a system with an existing
<filename>/home</filename> partition, and now I can't log in."
msgstr ""
#: en_US/selinux-faq.xml:1320(para)
msgid "Your <filename>/home</filename> partition is not labeled
correctly. You can easily fix this two different ways."
msgstr ""
#: en_US/selinux-faq.xml:1324(para)
msgid "If you just want to relabel <filename>/home</filename>
recursively:"
msgstr ""
#: en_US/selinux-faq.xml:1329(command)
msgid "/sbin/restorecon -v -R /home"
msgstr ""
#: en_US/selinux-faq.xml:1331(para)
msgid "If you want to be sure there are no other files incorrectly labeled, you can
relabel the entire file system:"
msgstr ""
#: en_US/selinux-faq.xml:1336(command)
msgid "/sbin/fixfiles relabel"
msgstr ""
#: en_US/selinux-faq.xml:1338(para)
msgid "You must have the <filename>policycoreutils</filename> package
installed to use <command>fixfiles</command>."
msgstr ""
#: en_US/selinux-faq.xml:1346(para)
msgid "After relabeling my <filename>/home</filename> using
<command>setfiles</command> or <command>fixfiles</command>, will I
still be able to read <filename>/home</filename> with a non-&SEL;-enabled
system?"
msgstr ""
#: en_US/selinux-faq.xml:1354(para)
msgid "You can read the files from a non-&SEL; distribution, or one with
&SEL; disabled. However, files created by a system not using &SEL; systems will
not have a security context, nor will any files you remove and recreate. This could be a
challenge with files such as <filename>~/.bashrc</filename>. You may have to
relabel <filename>/home</filename> when you reboot the &SEL; enabled
&FC; system."
msgstr ""
#: en_US/selinux-faq.xml:1367(para)
msgid "How do I share directories using NFS between &FC; and non-&SEL;
systems?"
msgstr ""
#: en_US/selinux-faq.xml:1373(para)
msgid "Just as NFS transparently supports many file system types, it can be used to
share directories between &SEL; and non-&SEL; systems."
msgstr ""
#: en_US/selinux-faq.xml:1377(para)
msgid "When you mount a non-&SEL; file system via NFS, by default &SEL; will
treat all the files in the share as having a context of
<computeroutput>nfs_t</computeroutput>. You can override the default context
by setting it manually, using the <option>context=</option> option. The
following command makes the files in the NFS mounted directory appear to have a context of
<computeroutput>system_u:object_r:tmp_t</computeroutput> to &SEL;:"
msgstr ""
#: en_US/selinux-faq.xml:1387(command)
msgid "mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo
/mnt/foo"
msgstr ""
#: en_US/selinux-faq.xml:1390(para)
msgid "When &SEL; exports a file system via NFS, newly created files have the
context of the directory they were created in. In other words, the presence of &SEL;
on the remote mounting system has no effect on the local security contexts."
msgstr ""
#: en_US/selinux-faq.xml:1400(para)
msgid "How can I create a new Linux user account with the user's home directory
having the proper context?"
msgstr ""
#. wtf was I trying to say here?
#. <para>
#. This depends on the policy you are running. A very restrictive
#. policy requires you to change
#. </para>
#: en_US/selinux-faq.xml:1412(para)
msgid "You can create your new user with the standard
<command>useradd</command> command. First you must become <systemitem
class=\"username\">root</systemitem>. Under the strict policy you will
need to change role to <computeroutput>sysadm_r</computeroutput> with the
following command:"
msgstr ""
#: en_US/selinux-faq.xml:1421(userinput)
#, no-wrap
msgid "newrole -r sysadm_r"
msgstr ""
#: en_US/selinux-faq.xml:1423(para)
msgid "For the targeted policy you will not need to switch roles, staying in
<computeroutput>unconfined_t</computeroutput>:"
msgstr ""
#: en_US/selinux-faq.xml:1429(userinput)
#, no-wrap
msgid "su - root\nid -Z"
msgstr ""
#: en_US/selinux-faq.xml:1431(computeroutput)
#, no-wrap
msgid "root:system_r:unconfined_t"
msgstr ""
#: en_US/selinux-faq.xml:1432(userinput)
#, no-wrap
msgid "useradd auser\nls -Z /home"
msgstr ""
#: en_US/selinux-faq.xml:1434(computeroutput)
#, no-wrap
msgid "drwx------ auser auser root:object_r:user_home_dir_t /home/auser"
msgstr ""
#: en_US/selinux-faq.xml:1436(para)
msgid "The initial context for a new user directory has an identity of
<computeroutput>root</computeroutput>. Subsequent relabeling of the file
system will change the identity to <computeroutput>system_u</computeroutput>.
These are functionally the same since the role and type are identical
(<computeroutput>object_r:user_home_dir_t</computeroutput>.)"
msgstr ""
#: en_US/selinux-faq.xml:1477(para)
msgid "I'm having troubles with <command>avc</command> errors filling
my logs for a particular program. How do I choose not to audit the access for it?"
msgstr ""
#: en_US/selinux-faq.xml:1484(para)
msgid "If you wanted to not audit <command>dmesg</command>, for example,
you would put this in your <filename>dmesg.te</filename> file:"
msgstr ""
#: en_US/selinux-faq.xml:1491(userinput)
#, no-wrap
msgid "dontaudit dmesg_t userdomain:fd { use };"
msgstr ""
#: en_US/selinux-faq.xml:1493(para)
msgid "This eliminates the error output to the terminal for all user domains,
including <varname>user</varname>, <varname>staff</varname> and
<varname>sysadm</varname>."
msgstr ""
#: en_US/selinux-faq.xml:1502(para)
msgid "Even running in permissive mode, I'm getting a large number of
<computeroutput>avc denied</computeroutput> messages."
msgstr ""
#: en_US/selinux-faq.xml:1508(para)
msgid "In a non-enforcing mode, you should actually receive
<emphasis>more</emphasis> messages than in enforcing mode. The kernel logs
each access denial as if you were in an enforcing mode. Since you are not restricted by
policy enforcement, you can perform more actions, which results in more denials being
logged."
msgstr ""
#: en_US/selinux-faq.xml:1515(para)
msgid "If an application running under an enforcing mode is denied access to read a
number of files in a directory, it is stopped once at the beginning of the action. In a
non-enforcing mode, the application is not stopped from traversing the directory tree, and
generates a denial message for each file read in the directory."
msgstr ""
#: en_US/selinux-faq.xml:1527(para)
msgid "I get a specific permission denial only when &SEL; is in enforcing mode,
but I don't see any audit messages in
<filename>/var/log/messages</filename> (or
<filename>/var/log/audit/audit.log</filename> if using the audit daemon). How
can I identify the cause of these silent denials?"
msgstr ""
#: en_US/selinux-faq.xml:1537(para)
msgid "The most common reason for a silent denial is when the policy contains an
explicit <computeroutput>dontaudit</computeroutput> rule to suppress audit
messages. The <computeroutput>dontaudit</computeroutput> rule is often used
this way when a benign denial is filling the audit logs."
msgstr ""
#: en_US/selinux-faq.xml:1544(para)
msgid "To look for your particular denial, you will need to enable auditing of all
<computeroutput>dontaudit</computeroutput> rules:"
msgstr ""
#: en_US/selinux-faq.xml:1549(command)
msgid "semodule -b /usr/share/selinux/targeted/enableaudit.pp"
msgstr ""
#: en_US/selinux-faq.xml:1552(title)
msgid "Enabled <computeroutput>dontaudit</computeroutput> output is
verbose"
msgstr ""
#: en_US/selinux-faq.xml:1554(para)
msgid "Enabling auditing of all
<computeroutput>dontaudit</computeroutput> rules will likely produce a large
amount of audit information, most of which is irrelevant to your denial."
msgstr ""
#: en_US/selinux-faq.xml:1560(para)
msgid "Use this technique only if you are specifically looking for an audit message
for a denial that seems to occur silently. You will likely want to re-enable
<computeroutput>dontaudit</computeroutput> rules as soon as possible."
msgstr ""
#: en_US/selinux-faq.xml:1568(para)
msgid "Once you have found your problem you can reset to the default mode by
executin"
msgstr ""
#: en_US/selinux-faq.xml:1573(command)
msgid "semodule -b /usr/share/selinux/targeted/base.pp"
msgstr ""
#: en_US/selinux-faq.xml:1603(para)
msgid "Why do I not see the output when I run certain daemons in debug or interactive
mode?"
msgstr ""
#: en_US/selinux-faq.xml:1609(para)
msgid "&SEL; intentionally disables access to the tty devices to stop daemons
from communicating back with the controlling terminal. This communication is a potential
security hole because such daemons could insert commands into the controlling terminal. A
broken or compromised program could use this hole to cause serious problems."
msgstr ""
#: en_US/selinux-faq.xml:1617(para)
msgid "There are a few ways you can capture standard output from daemons. One method
is to pipe the output to the cat command."
msgstr ""
#: en_US/selinux-faq.xml:1622(command)
msgid "snmpd -v | cat"
msgstr ""
#: en_US/selinux-faq.xml:1624(para)
msgid "When debugging a daemon, you may want to turn off the transition of the daemon
to its specific domain. You can do this using
<command>system-config-securitylevel</command> or
<command>setsebool</command> on the command line."
msgstr ""
#: en_US/selinux-faq.xml:1630(para)
msgid "A final option is to turn off enforcing mode while debugging. Issue the
command <command>setenforce 0</command> to turn off enforcing mode, and use
the command <command>setenforce 1</command> to re-enable &SEL; when you
are finished debugging."
msgstr ""
#: en_US/selinux-faq.xml:1640(para)
msgid "When I do an upgrade of the policy package (for example, using
<command>yum</command>), what happens with the policy? Is it updated
automatically?"
msgstr ""
#: en_US/selinux-faq.xml:1647(para)
msgid "Policy reloads itself when the package is updated. This behavior replaces the
manual <command>make load</command>."
msgstr ""
#: en_US/selinux-faq.xml:1651(para)
msgid "In certain situations, you may need to relabel the file system. This might
occur as part of an &SEL; bug fix where file contexts become invalid, or when the
policy update makes changes to the file
<filename>/etc/selinux/targeted/contexts/files/file_contexts</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1658(para)
msgid "After the file system is relabeled, a <command>reboot</command> is
not required, but is useful in ensuring every process and program is running in the proper
domain. This is highly dependent on the changes in the updated policy."
msgstr ""
#: en_US/selinux-faq.xml:1664(para)
msgid "To relabel, you have several options. You may use the
<command>fixfiles</command> command:"
msgstr ""
#: en_US/selinux-faq.xml:1669(command)
msgid "fixfiles relabel reboot"
msgstr ""
#: en_US/selinux-faq.xml:1672(para)
msgid "Alternately, use the <filename>/.autorelabel</filename>
mechanism:"
msgstr ""
#: en_US/selinux-faq.xml:1676(command)
msgid "touch /.autorelabel reboot"
msgstr ""
#: en_US/selinux-faq.xml:1683(para)
msgid "If the policy shipping with an application package changes in a way that
requires relabeling, will RPM handle relabeling the files owned by the package?"
msgstr ""
#: en_US/selinux-faq.xml:1690(para)
msgid "Yes. The security contexts for the files owned by the package are stored in
the header data for the package. The file contexts are set directly after the
<command>cpio</command> copy, as the package files are being put on the
disk."
msgstr ""
#: en_US/selinux-faq.xml:1775(para)
msgid "Why do binary policies distributed with Fedora, such as
<filename>/etc/selinux/<replaceable><policyname></replaceable>/policy/policy.<replaceable><version></replaceable></filename>,
and those I compile myself have different sizes and MD5 checksums?"
msgstr ""
#: en_US/selinux-faq.xml:1782(para)
msgid "When you install a policy package, pre-compiled binary policy files are put
directly into <filename>/etc/selinux</filename>. The different build
environments will make target files that have different sizes and MD5 checksums."
msgstr ""
#: en_US/selinux-faq.xml:1792(para)
msgid "Will new policy packages disable my system?"
msgstr ""
#: en_US/selinux-faq.xml:1797(para)
msgid "There is a possibility that changes in the policy package or in the policy
shipping with an application package can cause errors, more denials, or other unknown
behaviors. You can discover which package caused the breakage by reverting policy and
application packages one at a time. If you don't want to return to the previous
package, the older version of the configuration files will be saved with the extension
<filename class=\"extension\">.rpmsave</filename>. Use the mailing
lists, bugzilla, and IRC to help you work through your problem. If you are able, write or
fix policy to resolve your problem."
msgstr ""
#: en_US/selinux-faq.xml:1814(para)
msgid "How can I help write policy?"
msgstr ""
#: en_US/selinux-faq.xml:1819(para)
msgid "Your help is definitely appreciated."
msgstr ""
#: en_US/selinux-faq.xml:1824(para)
msgid "You can start by joining the &FED;&SEL; mailing list. You can
subscribe and read the archives at <ulink
url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list\&qu...
msgstr ""
#: en_US/selinux-faq.xml:1831(para)
msgid "The Unofficial FAQ has some generic policy writing HOWTO information. Refer to
<ulink
url=\"http://sourceforge.net/docman/display_doc.php?docid=14882&...
for more information."
msgstr ""
#: en_US/selinux-faq.xml:1839(para)
msgid "Another new resource is the Writing SE Linux policy HOWTO, located online at
<ulink
url=\"https://sourceforge.net/docman/display_doc.php?docid=21959&...
msgstr ""
#: en_US/selinux-faq.xml:1846(para)
msgid "Also, since the &FC;&LOCALVER; policy is based on the <xref
linkend=\"faq-entry-whatis-refpolicy\"/>, you should look at the
documentation on its project page. Another excellent source of information is the policy
files in
<filename>/usr/share/doc/selinux-policy-<replaceable>>version<</replaceable></filename>
which shows examples of policy."
msgstr ""
#: en_US/selinux-faq.xml:1854(para)
msgid "If you want to create a new policy domain, you can look at the interface files
in the <filename>/usr/share/selinux/devel</filename> sub-directories. There is
also a tool there to help you get started. The following procedure is an example:"
msgstr ""
#: en_US/selinux-faq.xml:1863(para)
msgid "Use the <command>policygentool</command> command to generate your
own <filename>te</filename>, <filename>fc</filename> and
<filename>if</filename> files. The
<command>policygentool</command> command takes two parameters: the name of the
policy module and the full path to the executable. The following command gives a usage
example:"
msgstr ""
#: en_US/selinux-faq.xml:1872(replaceable)
msgid "mydaemon /usr/sbin/mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1872(command)
msgid "policygentool <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1874(para)
msgid "It will prompt you for a few common domain characteristics, and will create
three files: <filename>mydaemon.te</filename>,
<filename>mydaemon.fc</filename> and
<filename>mydaemon.if</filename>."
msgstr ""
#: en_US/selinux-faq.xml:1883(para)
msgid "After you generate the policy files, use the supplied Makefile,
<filename>/usr/share/selinux/devel/Makefile</filename>, to build a policy
package (<filename>mydaemon.pp</filename>):"
msgstr ""
#: en_US/selinux-faq.xml:1891(command)
msgid "make -f /usr/share/selinux/refpolicy/Makefile"
msgstr ""
#: en_US/selinux-faq.xml:1895(para)
msgid "Now you can load the policy module, using
<command>semodule</command>, and relabel the executable using
<command>restorecon</command>:"
msgstr ""
#: en_US/selinux-faq.xml:1901(replaceable)
msgid "mydaemon.pp"
msgstr ""
#: en_US/selinux-faq.xml:1901(command)
msgid "semodule -i <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1902(replaceable)
msgid "/usr/sbin/mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1902(command)
msgid "restorecon -v <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:1906(para)
msgid "Since you have very limited policy for your executeable, SELinux will prevent
it from doing much. Turn on permissive mode and then use the init script to start your
daemon:"
msgstr ""
#: en_US/selinux-faq.xml:1912(command)
msgid "setenforce 0"
msgstr ""
#: en_US/selinux-faq.xml:1913(replaceable)
msgid "mydaemon"
msgstr ""
#: en_US/selinux-faq.xml:1913(command)
msgid "service <placeholder-1/> restart"
msgstr ""
#: en_US/selinux-faq.xml:1917(para)
msgid "Now you can collect avc messages. You can use
<command>audit2allow</command> to translate the avc messages to allow rules
and begin updating your <filename>mydaemon.te</filename> file. You should
search for interface macros in the
<filename>/usr/share/selinux/devel/include</filename> directory and use these
instead of using the allow rules directly, whenever possible. <command>audit2allow
-R</command> will attempt to find interfaces that match the allow rule. If you want
more examples of polcy, you could always install the selinux-policy src rpm, which
contains all of the policy te files for the reference policy."
msgstr ""
#: en_US/selinux-faq.xml:1935(para)
msgid "My console is being flooded with messages. How do I turn them off?"
msgstr ""
#: en_US/selinux-faq.xml:1941(para)
msgid "To regain useful control, turn off kernel messages to the console with this
command:"
msgstr ""
#: en_US/selinux-faq.xml:1946(command)
msgid "dmesg -n 1"
msgstr ""
#: en_US/selinux-faq.xml:1952(para)
msgid "Can I test the default policy without installing the policy source?"
msgstr ""
#: en_US/selinux-faq.xml:1958(para)
msgid "You can test &SEL; default policy by installing just the
<filename>selinux-policy-<replaceable>policyname</replaceable></filename>
and <filename>policycoreutils</filename> packages. Without the policy source
installed, the <command>fixfiles</command> command automates the file system
relabeling."
msgstr ""
#: en_US/selinux-faq.xml:1965(para)
msgid "The command <command>fixfiles relabel</command> is the equivalent
of <command>make relabel</command>. During the relabeling, it will delete all
of the files in <filename>/tmp</filename>, cleaning up files which may have
old file context labels."
msgstr ""
#: en_US/selinux-faq.xml:1971(para)
msgid "Other commands are <command>fixfiles check</command>, which checks
for mislabeled files, and <command>fixfiles restore</command>, which fixes the
mislabeled files but does not delete the files in <filename>/tmp</filename>.
The <command>fixfiles</command> command does not take a list of directories as
an argument, because it relabels the entire file system. If you need to relabel a specific
directory path, use <command>restorecon</command>."
msgstr ""
#: en_US/selinux-faq.xml:1985(para)
msgid "Why are some of my KDE applications having trouble under &SEL;?"
msgstr ""
#: en_US/selinux-faq.xml:1990(para)
msgid "KDE executables always appear as <command>kdeinit</command>, which
limits what can be done with &SEL; policy. This is because every KDE application runs
in the domain for <command>kdeinit</command>."
msgstr ""
#: en_US/selinux-faq.xml:1995(para)
msgid "Problems often arise when installing &SEL; because it is not possible to
relabel <filename>/tmp</filename> and
<filename>/var/tmp</filename>. There is no good method of determining which
file should have which context."
msgstr ""
#: en_US/selinux-faq.xml:2001(para)
msgid "The solution is to fully log out of KDE and remove all KDE temporary
files:"
msgstr ""
#: en_US/selinux-faq.xml:2006(replaceable)
msgid "<username>"
msgstr ""
#: en_US/selinux-faq.xml:2007(replaceable)
msgid "<other_kde_files>"
msgstr ""
#: en_US/selinux-faq.xml:2006(command)
msgid "rm -rf /var/tmp/kdecache-<placeholder-1/> rm -rf
/var/tmp/<placeholder-2/>"
msgstr ""
#: en_US/selinux-faq.xml:2009(para)
msgid "At your next login, your problem should be fixed."
msgstr ""
#: en_US/selinux-faq.xml:2016(para)
msgid "Why does <option>SELINUX=disabled</option> not work for me?"
msgstr ""
#: en_US/selinux-faq.xml:2021(para)
msgid "Be careful of white space in the file
<filename>/etc/sysconfig/selinux</filename>. The code is very sensitive to
white space, even trailing space."
msgstr ""
#: en_US/selinux-faq.xml:2030(para)
msgid "I have a process running as
<computeroutput>unconfined_t</computeroutput>, and &SEL; is still
preventing my application from running."
msgstr ""
#: en_US/selinux-faq.xml:2037(para)
msgid "We have begun to confine the
<computeroutput>unconfined_t</computeroutput> domain somewhat. SELinux
restricts certain memory protection operation. Following is a list of those denials, as
well as possible reasons and solutions for those denials. For more information on these
restrictions, see <ulink
url=\"http://people.redhat.com/drepper/selinux-mem.html\"/>....
msgstr ""
#: en_US/selinux-faq.xml:2048(computeroutput)
#, no-wrap
msgid "execmod"
msgstr ""
#: en_US/selinux-faq.xml:2050(para)
msgid "This is usually based on a library label. You can change the context on the
library with the <command>chcon -t testrel_shlib_t
<replaceable>LIBRARY</replaceable></command>. Now your application can
run. Please report this as a bugzilla."
msgstr ""
#: en_US/selinux-faq.xml:2060(computeroutput)
#, no-wrap
msgid "execstack"
msgstr ""
#: en_US/selinux-faq.xml:2062(para)
msgid "Attempt to <command>execstack -c
<replaceable>LIBRARY</replaceable></command>. Now try your application
again. If the application now works, the library was mistakenly marked as requiring
<computeroutput>execstack</computeroutput>. Please report this as a
bugzilla."
msgstr ""
#: en_US/selinux-faq.xml:2073(computeroutput)
#, no-wrap
msgid "execmem, execheap"
msgstr ""
#: en_US/selinux-faq.xml:2075(para)
msgid "A boolean for each one of these memory check errors have been provided. So if
you need to run an application requiring either of these permissions, you can set the
boolean allow_exec* to fix the problem. For instance if you try to run an application and
you get an AVC message containing an
<computeroutput>execstack</computeroutput> failure. You can set the boolean
with"
msgstr ""
#: en_US/selinux-faq.xml:2085(command)
msgid "setsebool -P allow_execstack=1"
msgstr ""
#: en_US/selinux-faq.xml:2094(para)
msgid "What do these rpm errors mean?"
msgstr ""
#: en_US/selinux-faq.xml:2100(computeroutput)
#, no-wrap
msgid "genhomedircon: Warning! No support yet for expanding ROLE macros in the
/etc/selinux/mls/contexts/files/homedir_template file when using libsemanage.
\ngenhomedircon: You must manually update file_contexts.homedirs for any non-user_r users
(including root)."
msgstr ""
#: en_US/selinux-faq.xml:2103(para)
msgid "Some of the interfaces are not complete yet for selinux. Most users should not
care about this warning. It will only affect you if you are running the policy package
that is reporting the problem and have non standard SELinux role/user combinations. IE You
are using some custom policy."
msgstr ""
#: en_US/selinux-faq.xml:2111(computeroutput)
#, no-wrap
msgid "restorecon reset /etc/modprobe.conf context
system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t\nrestorecon reset
/etc/cups/ppd/homehp.ppd context
user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t"
msgstr ""
#: en_US/selinux-faq.xml:2114(para)
msgid "During the update process, the selinux package runs restorecon on the
difference between the previously install policy file_context and the newly install policy
context. This maintains the correct file context on disk."
msgstr ""
#: en_US/selinux-faq.xml:2121(computeroutput)
#, no-wrap
msgid "libsepol.sepol_genbools_array: boolean hidd_disable_trans no longer in
policy"
msgstr ""
#: en_US/selinux-faq.xml:2123(para)
msgid "This indicates that the updated policy has removed the boolean from
policy."
msgstr ""
#: en_US/selinux-faq.xml:2131(para)
msgid "I want to run a daemon on a non standard port but &SEL; will not allow me.
How do get this to work?"
msgstr ""
#: en_US/selinux-faq.xml:2137(para)
msgid "You can use the <command>semanage</command> command to define
additional ports. So say you want httpd to be able to listen on port 8082. You could enter
the command."
msgstr ""
#: en_US/selinux-faq.xml:2143(command)
msgid "semanage port -a -p tcp -t http_port_t 8082"
msgstr ""
#: en_US/selinux-faq.xml:2149(para)
msgid "How do I add additional translations to my MCS/MLS system?"
msgstr ""
#: en_US/selinux-faq.xml:2154(para)
msgid "Translations are handled through libsemanage. Use <command>semanage
translation -l</command> to list all current translations."
msgstr ""
#: en_US/selinux-faq.xml:2160(computeroutput)
#, no-wrap
msgid "# semanage translation -l\nLevel
Translation\n\ns0\ns0-s0:c0.c255 SystemLow-SystemHigh\ns0:c0.c255
SystemHigh"
msgstr ""
#: en_US/selinux-faq.xml:2167(para)
msgid "Now pick an unused category. Say you wanted to add Payroll as a translation,
and s0:c6 is unused."
msgstr ""
#: en_US/selinux-faq.xml:2172(computeroutput)
#, no-wrap
msgid "# semanage translation -a -T Payroll s0:c6\n# semanage translation -l\nLevel
Translation\n\ns0\ns0-s0:c0.c255
SystemLow-SystemHigh\ns0:c0.c255 SystemHigh\ns0:c6
Payroll"
msgstr ""
#: en_US/selinux-faq.xml:2185(para)
msgid "I have setup my MCS/MLS translations, now I want to designate which users can
read a given category?"
msgstr ""
#: en_US/selinux-faq.xml:2191(para)
msgid "You can modify the range of categories a user can login with by using
<command>semanage</command>, as seen in this example."
msgstr ""
#: en_US/selinux-faq.xml:2196(computeroutput)
#, no-wrap
msgid "# semanage login -a -r s0-Payroll csellers\n# semanage login -l\n\nLogin Name
SELinux User MLS/MCS Range \n\n__default__
user_u s0 \ncsellers user_u
s0-Payroll \nroot root
SystemLow-SystemHigh"
msgstr ""
#: en_US/selinux-faq.xml:2205(para)
msgid "In the above example, the user csellers was given access to the
<computeroutput>Payroll</computeroutput> category with the first command, as
indicated in the listing output from the second command."
msgstr ""
#: en_US/selinux-faq.xml:2215(para)
msgid "I am writing an php script that needs to create temporary files in
<filename>/tmp</filename> and then execute them, SELinux policy is preventing
this. What should I do?"
msgstr ""
#: en_US/selinux-faq.xml:2222(para)
msgid "You should avoid having system applications writing to the
<filename>/tmp</filename> directory, since users tend to use the
<filename>/tmp</filename> directory also. It would be better to create a
directory elsewhere which could be owned by the apache process and allow your script to
write to it. You should label the directory
<computeroutput>httpd_sys_script_rw_t</computeroutput>."
msgstr ""
#: en_US/selinux-faq.xml:2234(para)
msgid "I am setting up swapping to a file, but I am seeing AVC messages in my log
files?"
msgstr ""
#: en_US/selinux-faq.xml:2240(para)
msgid "You need to identify the swapfile to SELinux by setting its file context to
<computeroutput>swapfile_t</computeroutput>."
msgstr ""
#: en_US/selinux-faq.xml:2245(replaceable)
msgid "SWAPFILE"
msgstr ""
#: en_US/selinux-faq.xml:2245(command)
msgid "chcon -t swapfile_t <placeholder-1/>"
msgstr ""
#: en_US/selinux-faq.xml:2251(para)
msgid "Please explain the
<computeroutput>relabelto</computeroutput>/<computeroutput>relabelfrom</computeroutput>
permissions?"
msgstr ""
#: en_US/selinux-faq.xml:2258(para)
msgid "For files, <computeroutput>relabelfrom</computeroutput> means
\"Can domain D relabel a file from (i.e. currently in) type T1?\" and
<computeroutput>relabelto</computeroutput> means \"Can domain D relabel a
file to type T2?\", so both checks are applied upon a file relabeling, where T1 is
the original type of the type and T2 is the new type specified by the program."
msgstr ""
#: en_US/selinux-faq.xml:2266(para)
msgid "Useful documents to look at:"
msgstr ""
#: en_US/selinux-faq.xml:2271(para)
msgid "Object class and permission summary by Tresys <ulink
url=\"http://tresys.com/selinux/obj_perms_help.shtml\"/>"
msgstr ""
#: en_US/selinux-faq.xml:2277(para)
msgid "Implementing SELinux as an LSM technical report (describes permission checks
on a per-hook basis) <ulink
url=\"http://www.nsa.gov/selinux/papers/module-abs.cfm\"/>. This is also
available in the selinux-doc package (and more up-to-date there)."
msgstr ""
#: en_US/selinux-faq.xml:2286(para)
msgid "Integrating Flexible Support for Security Policies into the Linux Operating
System - technical report (describes original design and implementation, including summary
tables of classes, permissions, and what permission checks are applied to what system
calls. It is not entirely up-to-date with current implementation, but a good resource
nonetheless). <ulink
url=\"http://www.nsa.gov/selinux/papers/slinux-abs.cfm\"/>&q...
msgstr ""
#: en_US/selinux-faq.xml:2302(para)
msgid "Where are &SEL; AVC messages (denial logs, etc.) stored?"
msgstr ""
#: en_US/selinux-faq.xml:2307(para)
msgid "In &FC; 2 and 3, SELinux AVC messages could be found in
<filename>/var/log/messages</filename>. In &FC; 4, the audit daemon was
added, and these messages moved to
<filename>/var/log/audit/audit.log</filename>. In &FC; 5, the audit daemon
is not installed by default, and consequently these messages can be found in
<filename>/var/log/messages</filename> unless you choose to install the audit
daemon, in which case AVC messages will be in
<filename>/var/log/audit/audit.log</filename>."
msgstr ""
#: en_US/selinux-faq.xml:2323(title)
msgid "Deploying &SEL;"
msgstr ""
#: en_US/selinux-faq.xml:2326(para)
msgid "What file systems can I use for &SEL;?"
msgstr ""
#: en_US/selinux-faq.xml:2331(para)
msgid "The file system must support
<computeroutput>xattr</computeroutput> labels in the right
<parameter>security.*</parameter> namespace. In addition to ext2/ext3, XFS has
recently added support for the necessary labels."
msgstr ""
#: en_US/selinux-faq.xml:2338(para)
msgid "Note that XFS SELinux support is broken in upstream kernel 2.6.14 and 2.6.15,
but fixed (worked around) in 2.6.16. Your kernel must include this fix if you choose to
use XFS with &SEL;."
msgstr ""
#: en_US/selinux-faq.xml:2348(para)
msgid "How does &SEL; impact system performance?"
msgstr ""
#: en_US/selinux-faq.xml:2353(para)
msgid "This is a variable that is hard to measure, and is heavily dependent on the
tuning and usage of the system running &SEL;. When performance was last measured, the
impact was around 7% for completely untuned code. Subsequent changes in system components
such as networking are likely to have made that worse in some cases. &SEL; performance
tuning continues to be a priority of the development team."
msgstr ""
#: en_US/selinux-faq.xml:2366(para)
msgid "What types of deployments, applications, and systems should I leverage
&SEL; in?"
msgstr ""
#: en_US/selinux-faq.xml:2372(para)
msgid "Initially, &SEL; has been used on Internet facing servers that are
performing a few specialized functions, where it is critical to keep extremely tight
security. Administrators typically strip such a box of all extra software and services,
and run a very small, focused set of services. A Web server or mail server is a good
example."
msgstr ""
#: en_US/selinux-faq.xml:2380(para)
msgid "In these edge servers, you can lock down the policy very tightly. The smaller
number of interactions with other components makes such a lockdown easier. A dedicated
system running a specialized third-party application would also be a good
candidate."
msgstr ""
#: en_US/selinux-faq.xml:2386(para)
msgid "In the future, &SEL; will be targeted at all environments. In order to
achieve this goal, the community and <firstterm>independent software
vendors</firstterm> (<abbrev>ISV</abbrev>s) must work with the &SEL;
developers to produce the necessary policy. So far, a very restrictive
<firstterm>strict policy</firstterm> has been written, as well as a
<firstterm>targeted policy</firstterm> that focuses on specific, vulnerable
daemons."
msgstr ""
#: en_US/selinux-faq.xml:2396(para)
msgid "For more information about these policies, refer to <xref
linkend=\"qa-whatis-policy\"/> and <xref
linkend=\"qa-whatis-targeted-policy\"/>."
msgstr ""
#: en_US/selinux-faq.xml:2404(para)
msgid "How does &SEL; affect third-party applications?"
msgstr ""
#: en_US/selinux-faq.xml:2409(para)
msgid "One goal of implementing a targeted &SEL; policy in &FC; is to allow
third-party applications to work without modification. The targeted policy is transparent
to those unaddressed applications, and it falls back on standard Linux DAC security. These
applications, however, will not be running in an extra-secure manner. You or another
provider must write policy to protect these applications with MAC security."
msgstr ""
#: en_US/selinux-faq.xml:2418(para)
msgid "It is impossible to predict how every third-party application might behave
with &SEL;, even running the targeted policy. You may be able to fix issues that arise
by changing the policy. You may find that &SEL; exposes previously unknown security
issues with your application. You may have to modify the application to work under
&SEL;."
msgstr ""
#: en_US/selinux-faq.xml:2426(para)
msgid "Note that with the addition of <xref
linkend=\"faq-entry-whatare-policy-modules\"/>, it is now possible for
third-party developers to include policy modules with their application. If you are a
third-party developer or a package-maintainer, please consider including a policy module
in your package. This will allow you to secure the behavior of your application with the
power of &SEL; for any user insalling your package."
msgstr ""
#: en_US/selinux-faq.xml:2436(para)
msgid "One important value that &FC; testers and users bring to the community is
extensive testing of third-party applications. With that in mind, please bring your
experiences to the appropriate mailing list, such as the fedora-selinux list, for
discussion. For more information about that list, refer to <ulink
url=\"http://www.redhat.com/mailman/listinfo/fedora-selinux-list/\&q...
msgstr ""
#. Put one translator per line, in the form of NAME <EMAIL>, YEAR1, YEAR2.
#: en_US/selinux-faq.xml:0(None)
msgid "translator-credits"
msgstr ""