NAME¶
avc_cache_stats, avc_av_stats, avc_sid_stats - obtain userspace SELinux AVC
statistics.
SYNOPSIS¶
#include <selinux/selinux.h>
#include <selinux/avc.h>
void avc_av_stats(void);
void avc_sid_stats(void);
void avc_cache_stats(struct avc_cache_stats *stats);
DESCRIPTION¶
The userspace AVC maintains two internal hash tables, one to store security ID's
and one to cache access decisions.
avc_av_stats and
avc_sid_stats produce log messages indicating the
status of the access decision and SID tables, respectively. The messages
contain the number of entries in the table, number of hash buckets and number
of buckets used, and maximum number of entries in a single bucket.
avc_cache_stats populates a structure whose fields reflect cache
activity:
struct avc_cache_stats {
unsigned entry_lookups;
unsigned entry_hits;
unsigned entry_misses;
unsigned entry_discards;
unsigned cav_lookups;
unsigned cav_hits;
unsigned cav_probes;
unsigned cav_misses;
};
- entry_lookups
- Number of queries made.
- entry_hits
- Number of times a decision was found in the aeref
argument.
- entry_misses
- Number of times a decision was not found in the
aeref argument.
- entry_discards
- Number of times a decision was not found in the
aeref argument and the aeref argument was non-NULL.
- cav_lookups
- Number of cache lookups.
- cav_hits
- Number of cache hits.
- cav_misses
- Number of cache misses.
- cav_probes
- Number of entries examined while searching the cache.
NOTES¶
When the cache is flushed as a result of a call to
avc_reset or a policy
change notification, the statistics returned by
avc_cache_stats are
reset to zero. The SID table, however, is left unchanged.
When a policy change notification is received, a call to
avc_av_stats is
made before the cache is flushed.
AUTHOR¶
Eamon Walsh <ewalsh@tycho.nsa.gov>
SEE ALSO¶
avc_init(3),
avc_has_perm(3),
avc_context_to_sid(3),
avc_add_callback(3) selinux(8)