74
Chapter 6. Tools for Manipulating and Analyzing SELinux
# This shows one second intervals:
avcstat 1
lookups
hits
misses
allocs
reclaims
frees
194670327
194657424
12903
12903
880
12402
493
493
0
0
0
0
370
370
0
0
0
0
390
390
0
0
0
0
366
366
0
0
0
0
364
364
0
0
0
0
# With these five second intervals, you see the accumulation
# of lookups and hits over the course of the interval.
avcstat 5
lookups
hits
misses
allocs
reclaims
frees
194683017
194670114
12903
12903
880
12402
1966
1966
0
0
0
0
1824
1824
0
0
0
0
The
lookups
field shows the workload of the AVC. It is not uncommon to have the number of
hits
be smaller than the number of
lookups
.
Section 6.4 Performance Tuning discusses how to use
avcstat
for performance tuning.
seinfo
This utility is useful in describing the break down of a policy, such as the number of classes,
types, Booleans, allow rules, and so forth. Similar in function to some aspects of apol,
seinfo
is a quick command line utility that takes
policy.conf
or a binary policy file as input.
The results are going to be different between binary and source files. For example, the policy
source file uses the
{ }
brackets to group multiple rule elements onto a single line. A similar
effect happens with attributes, where a single attribute expands into one or many types. Because
these are expanded and no longer relevant in the binary policy file, they have a return value of
zero in the search results. However, the number of rules greatly increases as each formerly one
line rule using brackets is now a number of individual lines.
Some items are not present in the binary policy. For example,
neverallow
rules are only
checked during policy compile, not during runtime, and initial SIDs are not part of the binary
policy since they are required prior to the policy being loaded by the kernel during boot.
seinfo $SELINUX_SRC/policy.conf
Statistics for policy file: $SELINUX_SRC/policy.conf
Policy Version: v.18
Policy Type: source
Classes:
53
Permissions:
192
Types:
317
Attributes:
81
Users:
3
Roles:
4
Booleans:
20
Cond. Expr.:
21
Allow:
2292
Neverallow:
7
Auditallow:
2
Dontaudit:
225
Type_trans:
99
Type_change:
0
Role allow:
5
Role trans:
0
Initial SIDs:
27
seinfo $SELINUX_POLICY/policy.18
Statistics for policy file: $SELINUX_POLICY/policy.18
Policy Version: v.18
Policy Type: binary
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved