# AUTHOR <EMAIL@ADDRESS>, YEAR.
# 
msgid ""
msgstr ""
"Project-Id-Version: Fedora Virtualization Guide\n"
"POT-Creation-Date: 2011-03-02T01:07:52\n"
"PO-Revision-Date: 2011-08-21 11:06+0000\n"
"Last-Translator: Automatically generated\n"
"Language-Team: Persian (http://www.transifex.net/projects/p/fedora/team/fa/)\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Language: fa\n"
"Plural-Forms: nplurals=1; plural=0\n"

#. Tag: title
#, no-c-format
msgid "Security for virtualization"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"When deploying virtualization technologies on your corporate infrastructure,"
" you must ensure that the host cannot be compromised. The host is a Fedora "
"system that manages the system, devices, memory and networks as well as all "
"virtualized guests. If the host is insecure, all guests in the system are "
"vulnerable. There are several ways to enhance security on systems using "
"virtualization. You or your organization should create a "
"<emphasis>Deployment Plan</emphasis> containing the operating specifications"
" and specifies which services are needed on your virtualized guests and host"
" servers as well as what support is required for these services. Here are a "
"few security issues to consider while developing a deployment plan:"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Run only necessary services on hosts. The fewer processes and services "
"running on the host, the higher the level of security and performance."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Enable <firstterm linkend=\"glos-Virtualization-"
"Security_Enhanced_Linux\">SELinux</firstterm> on the hypervisor. Read <xref "
"linkend=\"sect-Virtualization-Security_for_virtualization-"
"SELinux_and_virtualization\" /> for more information on using SELinux and "
"virtualization."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Use a firewall to restrict traffic to dom0. You can setup a firewall with "
"default-reject rules that will help secure attacks on dom0. It is also "
"important to limit network facing services."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Do not allow normal users to access dom0. If you do permit normal users dom0"
" access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is "
"privileged, and granting unprivileged accounts may compromise the level of "
"security."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Storage security issues"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Administrators of virtualized guests can change the partitions the host "
"boots in certain circumstances. To prevent this administrators should follow"
" these recommendations:"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"The host should not use disk labels to identify file systems in the "
"<filename>fstab</filename> file, the <filename>initrd</filename> file or "
"used by the kernel command line. If less privileged users, especially "
"virtualized guests, have write access to whole partitions or LVM volumes."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Guest should not be given write access to whole disks or block devices (for "
"example, <filename>/dev/sdb</filename>). Use partitions (for example, "
"<filename>/dev/sdb1</filename>) or LVM volumes."
msgstr ""

#. Tag: title
#, no-c-format
msgid "SELinux and virtualization"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Security Enhanced Linux was developed by the"
msgstr ""

#. Tag: orgname
#, no-c-format
msgid "NSA"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"with assistance from the Linux community to provide stronger security for "
"Linux. SELinux limits an attackers abilities and works to prevent many "
"common security exploits such as buffer overflow attacks and privilege "
"escalation. It is because of these benefits that all Fedora systems should "
"run with SELinux enabled and in enforcing mode."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"SELinux prevents guest images from loading if SELinux is enabled and the "
"images are not in the correct directory. SELinux requires that all guest "
"images are stored in <filename>/var/lib/libvirt/images</filename>."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Adding LVM based storage with SELinux in enforcing mode"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"The following section is an example of adding a logical volume to a "
"virtualized guest with SELinux enabled. These instructions also work for "
"hard drive partitions."
msgstr ""

#. Tag: title
#, no-c-format
msgid ""
"Creating and mounting a logical volume on a virtualized guest with SELinux "
"enabled"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Create a logical volume. This example creates a 5 gigabyte logical volume "
"named <parameter>NewVolumeName</parameter> on the volume group named "
"<parameter>volumegroup</parameter>."
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# lvcreate -n <parameter>NewVolumeName</parameter> -L <parameter>5G</parameter> <parameter>volumegroup</parameter>\n"
"\t\t\t\t"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Format the <parameter>NewVolumeName</parameter> logical volume with a file "
"system that supports extended attributes, such as ext3."
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# mke2fs -j <parameter>/dev/volumegroup/NewVolumeName</parameter>\n"
"\t\t\t\t"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Create a new directory for mounting the new logical volume. This directory "
"can be anywhere on your file system. It is advised not to put it in "
"important system directories (<filename>/etc</filename>, "
"<filename>/var</filename>, <filename>/sys</filename>) or in home directories"
" (<filename>/home</filename> or <filename>/root</filename>). This example "
"uses a directory called <filename>/virtstorage</filename>"
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# mkdir <parameter>/virtstorage</parameter>\n"
"\t\t\t\t"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Mount the logical volume."
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# mount <parameter>/dev/volumegroup/NewVolumeName</parameter> <parameter>/virtstorage</parameter>\n"
"\t\t\t\t"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Set the correct SELinux type for the libvirt image folder."
msgstr ""

#. Tag: screen
#, no-c-format
msgid "# semanage fcontext -a -t virt_image_t \"/virtualization(/.*)?\"\n"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"If the targeted policy is used (targeted is the default policy) the command "
"appends a line to the "
"<filename>/etc/selinux/targeted/contexts/files/file_contexts.local</filename>"
" file which makes the change persistent. The appended line may resemble "
"this:"
msgstr ""

#. Tag: screen
#, no-c-format
msgid "/virtstorage(/.*)?    system_u:object_r:virt_image_t:s0\n"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Run the command to change the type of the mount point "
"(<filename>/virtstorage</filename>) and all files under it to "
"<command>virt_image_t</command> (the <command>restorecon</command> and "
"<command>setfiles</command> commands read the files in "
"<filename>/etc/selinux/targeted/contexts/files/</filename>)."
msgstr ""

#. Tag: screen
#, no-c-format
msgid "# restorecon -R -v /virtualization\n"
msgstr ""

#. Tag: title
#, no-c-format
msgid "Testing new attributes"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Create a new file (using the <command>touch</command> command) on the file "
"system."
msgstr ""

#. Tag: screen
#, no-c-format
msgid "# touch <replaceable>/virtualization/newfile</replaceable>"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Verify the file has been relabeled using the following command:"
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# sudo ls -Z <replaceable>/virtualization</replaceable>\n"
"-rw-------. root root system_u:object_r:virt_image_t:s0 <replaceable>newfile</replaceable>"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"The output shows that the new file has the correct attribute, "
"<filename>virt_image_t</filename>."
msgstr ""

#. Tag: title
#, no-c-format
msgid "SELinux"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"This sections contains topics to consider when using SELinux with your "
"virtualization deployment. When you deploy system changes or add devices, "
"you must update your SELinux policy accordingly. To configure an LVM volume "
"for a guest, you must modify the SELinux context for the respective "
"underlying block device and volume group."
msgstr ""

#. Tag: screen
#, no-c-format
msgid ""
"# semanage fcontext -a -t virt_image _t -f -b /dev/sda2\n"
"# restorecon /dev/sda2\n"
msgstr ""

#. Tag: title
#, no-c-format
msgid "KVM and SELinux"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"There are several SELinux Booleans which affect KVM and libvirt. These "
"Booleans are listed below for your convenience."
msgstr ""

#. Tag: title
#, no-c-format
msgid "KVM SELinux Booleans"
msgstr ""

#. Tag: segtitle
#, no-c-format
msgid "SELinux Boolean"
msgstr ""

#. Tag: segtitle
#, no-c-format
msgid "Description"
msgstr ""

#. Tag: seg
#, no-c-format
msgid "allow_unconfined_qemu_transition"
msgstr ""

#. Tag: seg
#, no-c-format
msgid ""
"Default: off. This Boolean controls whether KVM guests can be transitioned "
"to unconfined users."
msgstr ""

#. Tag: seg
#, no-c-format
msgid "qemu_full_network"
msgstr ""

#. Tag: seg
#, no-c-format
msgid "Default: on. This Boolean controls full network access to KVM guests."
msgstr ""

#. Tag: seg
#, no-c-format
msgid "qemu_use_cifs"
msgstr ""

#. Tag: seg
#, no-c-format
msgid ""
"Default: on. This Boolean controls KVM's access to CIFS or Samba file "
"systems."
msgstr ""

#. Tag: seg
#, no-c-format
msgid "qemu_use_comm"
msgstr ""

#. Tag: seg
#, no-c-format
msgid ""
"Default: off. This Boolean controls whether KVM can access serial or "
"parallel communications ports."
msgstr ""

#. Tag: seg
#, no-c-format
msgid "qemu_use_nfs"
msgstr ""

#. Tag: seg
#, no-c-format
msgid "Default: on. This Boolean controls KVM's access to NFS file systems."
msgstr ""

#. Tag: seg
#, no-c-format
msgid "qemu_use_usb"
msgstr ""

#. Tag: seg
#, no-c-format
msgid ""
"Default: on. This Boolean allows KVM access and use passthrough with USB "
"devices."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Virtualization firewall information"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Various ports are used for communication between virtualized guests and "
"management utilities."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Guest network services"
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Any network service on a virtualized guest must have the applicable ports "
"open on the guest to allow external access. If a network service on a guest "
"is firewalled it will be inaccessible. Always verify the guests network "
"configuration first."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"ICMP requests must be accepted. ICMP packets are used for network testing. "
"You cannot ping guests if ICMP packets are blocked."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Port 22 should be open for SSH access and the initial installation."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Ports 80 or 443 (depending on the security settings on the RHEV Manager) are"
" used by the vdsm-reg service to communicate information about the host."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Ports 5634 to 6166 are used for guest console access with the SPICE "
"protocol."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Ports 49152 to 49216 are used for migrations with KVM. Migration may use any"
" port in this range depending on the number of concurrent migrations "
"occurring."
msgstr ""

#. Tag: para
#, no-c-format
msgid ""
"Enabling IP forwarding (<computeroutput>net.ipv4.ip_forward = "
"1</computeroutput>) is also required for shared bridges and the default "
"bridge. Note that installing libvirt enables this variable so it will be "
"enabled when the virtualization packages are installed unless it was "
"manually disabled."
msgstr ""