SELinux Support for Domino
Daniel Nashed – 22 January 2020 13:47:54
There is a AHA idea to have Domino support SELinux --> https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1121
My impression was that SELinux is already supported with current Domino releases.
I asked HCL and it turned out that SELinux is not tested, thus it is currently not supported.
It would be extra test effort for every distibution and version to run with SELinux.
Security-Enhanced Linux (SELinux) is a security architecture for Linux® which is integrated in the kernel and allows a separate security layer.
It has been originally developed by the NSA and is today integrated in the kernel.
You also have distinct between different SELinux modes. I was very sure the strict mode would not be supported.
But I thought the default mode "enforce" mode with "targeted" policy would be supported -- but it is currently not.
Below is a short introduction directly from RedHat. And if you are interested in details there is a video of a great presentation linked below.
When I talk to Domino admins they either don't know about SELinux but are told to disable it.
But there are companies who really have to enable SELinux.
In fact I have customers who run it today in enforce/target mode without knowing -- because it's default.
I would be very interested to hear your feedback. Do you want to use it? Do you have to use it? Are you using it?
You can either comment here,on the AHA idea or both. And if you find SELinux important to have supported, you can vote on the AHA idea.
But on top of the vote please leave a comment which requirements you have in detail?
Is enforced with targeted policy OK? Do you need a profile for Domino (that would be a lot of work and has impact on deployment, troubleshooting etc).
To check if SELinux is enabled and in which mode, you can use the following command:
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
-- Daniel
References
Video
https://www.youtube.com/watch?v=_WOKRaM-HI4
Public Documentation
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index
- Comments [1]