Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

    SELinux Support for Domino

    Daniel Nashed  22 January 2020 13:47:54


    There is a AHA idea to have Domino support SELinux -->
    https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1121
    My impression was that SELinux is already supported with current Domino releases.
    I asked HCL and it turned out that SELinux is not tested, thus it is currently not supported.
    It would be extra test effort for every distibution and version to run with SELinux.


    Security-Enhanced Linux (SELinux) is a security architecture for Linux® which is integrated in the kernel and allows a separate security layer.
    It has been originally developed by the NSA and is today integrated in the kernel.


    You also have distinct between different SELinux modes. I was very sure the strict mode would not be supported.

    But I thought the default mode "enforce" mode with "targeted" policy would be supported -- but it is currently not.

    Below is a short introduction directly from RedHat. And if you are interested in details there is a video of a great presentation linked below.


    When I talk to Domino admins they either don't know about SELinux but are told to disable it.

    But there are companies who really have to enable SELinux.

    In fact I have customers who run it today in enforce/target mode without knowing -- because it's default.


    I would be very interested to hear your feedback. Do you want to use it? Do you have to use it? Are you using it?


    You can either comment here,on the AHA idea or both. And if you find SELinux important to have supported, you can vote on the AHA idea.

    But on top of the vote please leave a comment which requirements you have in detail?
    Is enforced with targeted policy OK? Do you need a profile for Domino (that would be a lot of work and has impact on deployment, troubleshooting etc).


    To check if SELinux is enabled and in which mode, you can use the following command:


    sestatus

    SELinux status:                 enabled

    SELinuxfs mount:                /sys/fs/selinux

    SELinux root directory:         /etc/selinux

    Loaded policy name:             targeted

    Current mode:                   enforcing

    Mode from config file:          enforcing

    Policy MLS status:              enabled

    Policy deny_unknown status:     allowed

    Memory protection checking:     actual (secure)

    Max kernel policy version:      31


    -- Daniel



    References


    Video

    https://www.youtube.com/watch?v=_WOKRaM-HI4

    Public Documentation

    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index

    Comments

    1Martijn de Jong  27.01.2020 13:38:04  SELinux Support for Domino

    I've had my SELinux setting on permissive for a long time with the idea to check the warnings that would occur and create SELinux rules for those where needed, but I never actually got to that. Are you saying that it actually works with SELinux enabled and without extra rules?

    Links

      Archives


      • [HCL Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]