HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Must have features for various enterprise customers.
@Daniel: Many thanks, this is exactly what I was assuming!
So it would make sense to have an SELinux policy at least for these two binaries.
@Toni, the restricted ports are handled via bindsock. It has the sticky bit set and is owned by root. That allows access ot resticted ports. By the way tunekrnl is used to set kernel parameters like network parameters ..
-- Daniel Nashed
We are using Domino on RHEL 6 and 7 and on CentOS 6 and 7.
On Linux systems running Domino, we are currently settting SELinux to permissive, because there is no official support for "enforcing".
It means that we have to change the system default, which is "enforcing".
The minimum we would expect is HCL supporing "enforcing" with "targeted" policy. In that configuration, SELinux would restrict system components and typical add-on software from doing something nasty to the OS, but Domino processes would not be affected by any SELinux restrictions.
As Domino is running with normal user privileges (e.g. user "notes" rather then user "root"), it means that hackers have a natural restriction to abuse Domino processes (such as "http", "smtp", "ldap", etc.) to do something nasty, and to access areas of the OS, which they shouldn't. For that reason, dedicated SELinux policies for Domino tasks would be nice-to-have, rather than mandatory. - But still nice-to-have!
Notice, that Linux systems restrict normal users (i.e. user "notes") from opening network sockets on privileged ports (1-1024). These can only be opened by a privileged user (e.g. user "root"). I wonder how Domino manages to open these ports as non-privileged user. Perhaps, there may be a Domino wrapper running as "root", which is opening sockets on privileged ports. At least for this aspect of Domino, it would make sense to have dedicated SELinux policies for Domino, as hackers may exploit (in theory) the early stage of wrapping with root privileges.
Additional notes on this topic:
Toni Feric, Belsoft Collaboration
FYI -- I have posted a blog post about it to have admins aware, that it is currently not supported.
http://blog.nashcom.de/nashcomblog.nsf/dx/selinux-support-for-domino.htm
I would wish that HCL supports the default mode, in which RHEL ships. Enforced with targeted policy.
[ Daniel Nashed / http://blog.nashcom.de ]
I'm referring to the default (and recommended) settings from the installation in CentOS and RHEL. This is the default /etc/selinux/config file from RHEL 8.1:
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Here's an example of an SELinux error for mongodb I saw recently on an enforcing system: "SELinux is preventing /usr/bin/mongod from read access on the file /sys/fs/cgrouop/memory/memory.limit_in_bytes"
And here's a document on how to fix it: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/#install-rhel-configure-selinux
So to clarify, what I'm asking for in this "idea" is for Domino support SELinux by HCL testing installation and runtime of Domino with SELinux in Enforcing/Targeted mode. If any access issues to system files (like the mongodb example above) occur, then the fix would be implemented in the installation routine or alternately documented in the installation instructions and the knowledge base.
Which larger applications do you know, which fully support SELinux?
Fully means enforcing with strict policy.
What are you looking for? enforcing with targeted or strict protection?
Permissive mode should work and should not report errors for Domino -- just tested.
By default the mode is permissive, which means issues are only reported
Enforcing with targeted policy will only protect applications which have a profile - I also did a quick test with plain Domino 11 on RHEL 8.1 for that to understand what happens.
Strict would need a proper profile for every process/application.
I just tested to boot my RHEL 8.1 server and I wasn't even able to login any more ..
So "strict" would be a lot of work! But targeted should be something that "just" need to be tested from I understand it.
That would already allow the processes at are more exposed to risks to define profiles and be protected.
Here are the details form the config file:
You have to distinct:
SELINUX
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
If you enforce SELinux you have to distinct the following two types
SELINUXTYPE
targeted - Targeted processes are protected
strict - Full SELinux protection.
targeted means that only processes/applications with a profile will be protected.
[ Daniel Nashed / http://blog.nashcom.de ]