avc_sid_stats - Linux


avc_sid_stats is a Linux command that provides detailed statistics about Security-Enhanced Linux (SELinux) access vector cache (AVC) Security Identifier (SID) usage. It helps administrators analyze the AVC cache performance, identify potential bottlenecks, and improve the overall SELinux security posture.


avc_sid_stats [-h] [-a] [-n] [-s] [-t] [-x] [-v]


  • -h, –help: Display this help message.
  • -a, –all: Include disabled SIDs in the statistics.
  • -n, –no-header: Do not print the headers in the output.
  • -s, –sort: Sort the output by the specified field (default: "sid").
  • -t, –table: Output the statistics in a table format.
  • -x, –xml: Output the statistics in XML format.
  • -v, –version: Display the command version.


List AVC SID statistics


Sort output by number of AVC invocations

avc_sid_stats -s access_count

Display statistics in XML format

avc_sid_stats -x

Filter for disabled SIDs

avc_sid_stats -a

Common Issues

  • No statistics are displayed: Ensure that the AVC cache is enabled and that the kernel is logging AVC denials.
  • Output is too verbose: Use the -n option to suppress the header rows.
  • XML output is malformed: Check the kernel version. Some older versions may have issues generating valid XML output.


avc_sid_stats can be integrated with other SELinux tools for advanced analysis. For example:

# Identify the most frequently accessed SIDs
avc_sid_stats -s access_count | head -n 10

# Count the total number of AVC denials for a specific SID
avc_sid_stats | grep 'my_sid' | awk '{print $3}'

Related Commands

  • dmesg: Display kernel log messages.
  • auditctl: Manage SELinux auditing configuration.
  • sealert: Analyze and report SELinux audit events.