# SELinux

{% hint style="warning" %}
Run all commands as **root**.
{% endhint %}

## **How Datasentinel Works**

Datasentinel’s NGINX reverse-proxy talks to its internal services on a fixed set of local TCP ports:

* **8216 — InfluxDB** (times-series metrics store)
* **9342 — PostgreSQL** (configuration & metadata)
* **12324 — Backend API**
* **13300 — Dispatcher** (agent-less collection)
* **7125 — Grafana** (built-in dashboards)

NGINX config file: `/etc/nginx/conf.d/datasentinel.conf`

## SELinux Status & Mode

### Check

| What you need            | OS command   | Expected output                                                                                                                                             |
| ------------------------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Current runtime mode** | `getenforce` | <p><code>Enforcing</code>, <code>Permissive</code>, or <code>Disabled</code><br>(If the command is missing, SELinux user-space tools aren’t installed.)</p> |
| **Detailed status**      | `sestatus`   | Shows the loaded policy, runtime mode, and the mode that will apply on next boot.                                                                           |

### Modes

* **Enforcing:** SELinux actively blocks any action that violates the loaded security policy and logs the denial.
* **Permissive:** SELinux allows actions that would normally be denied but still logs the violations for troubleshooting and policy tuning.
* **Disabled:** SELinux is turned off entirely, so no security policy is loaded, and no access controls or audit logs are applied.

### **Quick test workflow**

1. Run `getenforce` to confirm the current mode.
2. If you need to troubleshoot, switch to permissive (logs only):

   ```bash
   setenforce 0   # temporary—reverts at reboot
   ```
3. Re-run `getenforce`; it should now read `Permissive`.
4. When finished, return to enforcing:

   ```bash
   setenforce 1
   ```
5. For a permanent change, edit `/etc/selinux/config` and reboot.

## Requirement

{% hint style="danger" %}
**SELinux Requirement**\
For proper operation of all Datasentinel services, SELinux **must be set to&#x20;*****Permissive*****&#x20;or&#x20;*****Disabled*** on the host. Running in *Enforcing* mode can block critical internal traffic and file access, preventing components from starting or communicating.
{% endhint %}

<table><thead><tr><th width="196.98052978515625">Approach</th><th width="310.7557373046875">What it does</th><th>Commands / Steps</th></tr></thead><tbody><tr><td><strong>1. Bypass SELinux</strong><br></td><td>Turns SELinux off (or into permissive mode) so it never blocks Datasentinel.</td><td>• <strong>Temporary:</strong><br><code>setenforce 0</code>  → mode switches to <em>Permissive</em> until next reboot.<br><br>• <strong>Permanent:</strong><br>Edit <code>/etc/selinux/config</code> and set <code>SELINUX=permissive</code> <strong>or</strong> <code>SELINUX=disabled</code>, then reboot.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.datasentinel.io/manual/implementation/troubleshooting/selinux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.