avc_av_stats - Linux


Overview

avc_av_stats is an SELinux command that provides detailed information about the security status of a system. It analyzes the AVC (Access Vector Cache) cache and presents statistics related to permissions granted and denied by SELinux.

Syntax

avc_av_stats [options]

Options/Flags

  • -l, –labels: List labels that were used in the AVC cache during the given time period.
  • -t, –time: Specify a time range in milliseconds to filter the statistics. The default range is the time since the system was last booted.
  • -c, –cleared: Display statistics for AVC denials that have been cleared.
  • -y, –raw: Output raw data instead of summarized statistics.
  • -h, –help: Display help information.

Examples

  • Display AVC cache statistics for the last 10 minutes:
avc_av_stats -t 600000
  • List labels used in the AVC cache:
avc_av_stats -l
  • Display raw data without summarization:
avc_av_stats -y

Common Issues

  • If the command does not return any results, it could indicate that SELinux is not enabled or that there have been no recent AVC events.
  • Raw data output can be complex and difficult to interpret. Use the -l and -t options to filter the data for easier analysis.

Integration

  • ausearch: Use ausearch -m avc to extract audit records related to AVC events.
  • grep: Filter raw output from avc_av_stats -y to find specific patterns.
  • scripts: Create scripts that monitor and report on AVC statistics for security analysis.

Related Commands

  • audit2allow: Generates SELinux policy to allow previously denied AVC requests.
  • ausearch: Searches security audit logs.
  • semanage: Manages SELinux settings and policies.