# SELinux

{% hint style="warning" %}
Run all commands as **root**.
{% endhint %}

## **How Datasentinel Works**

Datasentinel’s NGINX reverse-proxy talks to its internal services on a fixed set of local TCP ports:

* **8216 — InfluxDB** (times-series metrics store)
* **9342 — PostgreSQL** (configuration & metadata)
* **12324 — Backend API**
* **13300 — Dispatcher** (agent-less collection)
* **7125 — Grafana** (built-in dashboards)

NGINX config file:  `/etc/nginx/conf.d/datasentinel.conf`

## SELinux Status & Mode

### Check

| What you need            | OS command   | Expected output                                                                                                                                             |
| ------------------------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Current runtime mode** | `getenforce` | <p><code>Enforcing</code>, <code>Permissive</code>, or <code>Disabled</code><br>(If the command is missing, SELinux user-space tools aren’t installed.)</p> |
| **Detailed status**      | `sestatus`   | Shows the loaded policy, runtime mode, and the mode that will apply on next boot.                                                                           |

### Modes

* **Enforcing:** SELinux actively blocks any action that violates the loaded security policy and logs the denial.
* **Permissive:** SELinux allows actions that would normally be denied but still logs the violations for troubleshooting and policy tuning.
* **Disabled:** SELinux is turned off entirely, so no security policy is loaded, and no access controls or audit logs are applied.

### **Quick test workflow**

1. Run `getenforce` to confirm the current mode.
2. If you need to troubleshoot, switch to permissive (logs only):

   ```bash
   setenforce 0   # temporary—reverts at reboot
   ```
3. Re-run `getenforce`; it should now read `Permissive`.
4. When finished, return to enforcing:

   ```bash
   setenforce 1
   ```
5. For a permanent change, edit `/etc/selinux/config` and reboot.

## Requirement

{% hint style="danger" %}
**SELinux Requirement**\
For proper operation of all Datasentinel services, SELinux **must be set to&#x20;*****Permissive*****&#x20;or&#x20;*****Disabled*** on the host. Running in *Enforcing* mode can block critical internal traffic and file access, preventing components from starting or communicating.
{% endhint %}

<table><thead><tr><th width="196.98052978515625">Approach</th><th width="310.7557373046875">What it does</th><th>Commands / Steps</th></tr></thead><tbody><tr><td><strong>1. Bypass SELinux</strong><br></td><td>Turns SELinux off (or into permissive mode) so it never blocks Datasentinel.</td><td>• <strong>Temporary:</strong><br>  <code>setenforce 0</code>  → mode switches to <em>Permissive</em> until next reboot.<br><br>• <strong>Permanent:</strong><br>  Edit <code>/etc/selinux/config</code> and set <code>SELINUX=permissive</code> <strong>or</strong> <code>SELINUX=disabled</code>, then reboot.</td></tr></tbody></table>