Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    SELinux Support for Domino

    Daniel Nashed  22 January 2020 14:47:54


    There is a AHA idea to have Domino support SELinux --> https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1121
    My impression was that SELinux is already supported with current Domino releases.
    I asked HCL and it turned out that SELinux is not tested, thus it is currently not supported.
    It would be extra test effort for every distibution and version to run with SELinux.

    Security-Enhanced Linux (SELinux) is a security architecture for Linux® which is integrated in the kernel and allows a separate security layer.
    It has been originally developed by the NSA and is today integrated in the kernel.

    You also have distinct between different SELinux modes. I was very sure the strict mode would not be supported.

    But I thought the default mode "enforce" mode with "target" policy would be supported -- but it is currently not.
    Below is a short introduction directly from RedHat. And if you are interested in details there is a video of a great presentation linked below.

    When I talk to Domino admins they either don't know about SELinux but are told to disable it.
    But there are companies who really have to enable SELinux.
    In fact I have customers who run it today in enforce/target mode without knowing -- because it's default.

    I would be very interested to hear your feedback. Do you want to use it? Do you have to use it? Are you using it?

    You can either comment here,on the AHA idea or both. And if you find SELinux important to have supported, you can vote on the AHA idea.
    But on top of the vote please leave a comment which requirements you have in detail?
    Is enforced with targeted policy OK? Do you need a profile for Domino (that would be a lot of work and has impact on deployment, troubleshooting etc).

    To check if SELinux is enabled and in which mode, you can use the following command:

    sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      31

    -- Daniel


    References

    Video
    https://www.youtube.com/watch?v=_WOKRaM-HI4

    Public Documentation
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index


    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]