#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

It's time to officially support SELinux in Enforcing Mode

SELinux is almost 20 years old now.  Most software that runs on Linux is well integrated into SELinux by this time and Domino should be, too.

I would add that I've been routinely ignoring that instruction for quite a few years now and never seen an AVC Denial in CentOS nor RedHat Linux Enterprise. Maybe all that needs to be done is some testing to validate that installing and running Domino on Linux with SELinux in Enforcing mode does not cause known problems and is, therefore a supported configuration. This would enhance Domino's reputation in Security. See Promote Domino as the most secure thing on the planet.

 

Clarification:

So to clarify, what I'm asking for in this "idea" is for Domino support for SELinux by HCL testing installation and runtime of Domino with SELinux in Enforcing/Targeted mode.

 

If no errors are observed, then the documentation should state that this is a supported OS configuration.

 

If any access issues to system objects/files (like the mongodb example in my comment below) occur, then the fix would be implemented in the installation routine or alternately documented in the installation instructions and the knowledge base. 

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jan 15 2020
  • Needs clarification
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    17 Jan 08:18

    Which larger applications do you know, which fully support SELinux?
    Fully means enforcing with strict policy.

    What are you looking for? enforcing with targeted or strict protection?

    Permissive mode should work and should not report errors for Domino -- just tested.
    By default the mode is permissive, which means issues are only reported

    Enforcing with targeted policy will only protect applications which have a profile - I also did a quick test with plain Domino 11 on RHEL 8.1 for that to understand what happens.

    Strict would need a proper profile for every process/application.

    I just tested to boot my RHEL 8.1 server and I wasn't even able to login any more ..

    So "strict" would be a lot of work! But targeted should be something that "just" need to be tested from I understand it.

    That would already allow the processes at are more exposed to risks to define profiles and be protected.


    Here are the details form the config file:

    You have to distinct:

    SELINUX
    enforcing - SELinux security policy is enforced.
    permissive - SELinux prints warnings instead of enforcing.

    If you enforce SELinux you have to distinct the following two types

    SELINUXTYPE
    targeted - Targeted processes are protected
    strict - Full SELinux protection.

    targeted means that only processes/applications with a profile will be protected.

     

    [ Daniel Nashed / http://blog.nashcom.de ]

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    17 Jan 13:29
    I'm referring to the default (and recommended) settings from the installation in CentOS and RHEL. This is the default /etc/selinux/config file from RHEL 8.1: # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted Here's an example of an SELinux error for mongodb I saw recently on an enforcing system: "SELinux is preventing /usr/bin/mongod from read access on the file /sys/fs/cgrouop/memory/memory.limit_in_bytes" And here's a document on how to fix it: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/#install-rhel-configure-selinux So to clarify, what I'm asking for in this "idea" is for Domino support SELinux by HCL testing installation and runtime of Domino with SELinux in Enforcing/Targeted mode. If any access issues to system files (like the mongodb example above) occur, then the fix would be implemented in the installation routine or alternately documented in the installation instructions and the knowledge base.
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    17 Jan 13:32

    I'm referring to the default (and recommended) settings from the installation in CentOS and RHEL. This is the default /etc/selinux/config file from RHEL 8.1:

    # cat /etc/selinux/config

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these three values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected.
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted

     

    Here's an example of an SELinux error for mongodb I saw recently on an enforcing system: "SELinux is preventing /usr/bin/mongod from read access on the file /sys/fs/cgrouop/memory/memory.limit_in_bytes"

    And here's a document on how to fix it: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/#install-rhel-configure-selinux

     

    So to clarify, what I'm asking for in this "idea" is for Domino support SELinux by HCL testing installation and runtime of Domino with SELinux in Enforcing/Targeted mode. If any access issues to system files (like the mongodb example above) occur, then the fix would be implemented in the installation routine or alternately documented in the installation instructions and the knowledge base.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    22 Jan 16:40

    FYI -- I have posted a blog post about it to have admins aware,  that it is currently not supported.

    http://blog.nashcom.de/nashcomblog.nsf/dx/selinux-support-for-domino.htm

    I would wish that HCL supports the default mode, in which RHEL ships. Enforced with targeted policy.

    [ Daniel Nashed / http://blog.nashcom.de ]

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    23 Jan 10:53

    We are using Domino on RHEL 6 and 7 and on CentOS 6 and 7.

    On Linux systems running Domino, we are currently settting SELinux to permissive, because there is no official support for "enforcing".

    It means that we have to change the system default, which is "enforcing".

    The minimum we would expect is HCL supporing "enforcing" with "targeted" policy. In that configuration, SELinux would restrict system components and typical add-on software from doing something nasty to the OS, but Domino processes would not be affected by any SELinux restrictions.

    As Domino is running with normal user privileges (e.g. user "notes" rather then user "root"), it means that hackers have a natural restriction to abuse Domino processes (such as "http", "smtp", "ldap", etc.) to do something nasty, and to access areas of the OS, which they shouldn't. For that reason, dedicated SELinux policies for Domino tasks would be nice-to-have, rather than mandatory. - But still nice-to-have!

    Notice, that Linux systems restrict normal users (i.e. user "notes") from opening network sockets on privileged ports (1-1024). These can only be opened by a privileged user (e.g. user "root"). I wonder how Domino manages to open these ports as non-privileged user. Perhaps, there may be a Domino wrapper running as "root", which is opening sockets on privileged ports. At least for this aspect of Domino, it would make sense to have dedicated SELinux policies for Domino, as hackers may exploit (in theory) the early stage of wrapping with root privileges.

    Additional notes on this topic:

    1. On Linux systems running Docker/Kubernetes, we never change the SELinux configuration. It is always set to "enforcing".
    2. We know about customers, who have migrated from Solaris to Linux, and the administrators seem to carry some of the mindset forward to RHEL. As a result, they configure SELinux to "permissive" as system default.

     

    Toni Feric, Belsoft Collaboration

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    23 Jan 11:07

    @Toni,  the restricted ports are handled via bindsock. It has the sticky bit set and is owned by root. That allows access ot resticted ports.  By the way tunekrnl is used to set kernel parameters  like network parameters ..

    -- Daniel Nashed

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    23 Jan 11:14

    @Daniel: Many thanks, this is exactly what I was assuming!

    So it would make sense to have an SELinux policy at least for these two binaries.