Chapter 6. Tools for Manipulating and Analyzing SELinux

89

Figure 6 8. Direct Information Flow Analysis

Information flow analysis can be a challenging and daunting task. The policy holds thousands or

tens of thousands of rules with hundreds of types, all interacting in multiple ways. The help file

/usr/share/doc/setooles  version /iflow_help.txt

is essential reading for understand 

d

e

ing information flow analysis in SELinux.

In doing transitive information flow analysis, apol attempts to string together different direct flows,

looking for ways that information can transit between direct flows. This looks for ways that allow the

farthest ends of the different direct flows to pass information to each other.

6.4. Performance Tuning

The major performance hit that SELinux can make on the system is in the kernel, where the hooks

used through LSM divert the kernel flow into the AVC. Usually, the working set of cached permissions

used in normal system operations is relatively small, fewer than 100 AVC entries for most systems

with a focused mission. SELinux maintains up to 512 entries in the cache, and does not usually need

to perform additional lookups outside of that cache.

If you suspect you are having performance problems due to SELinux or you generally want to

fine tune your system, you can monitor the AVC through the

/selinux

file system. The first file,

/selinux/avc/hash_stats

, shows the number of entries, the number of hash buckets used by the

entries, and the length of the longest hash chain:

cat /selinux/avc/hash_stats

entries: 521

# total number of AVC entries

buckets used: 285/512

# total number of buckets

longest chain: 6

# hash chain of less than 10 is

# optimal

If your hash chains are growing to be larger than 10, there may be a performance impact. You can

consider reducing the size of the cache. To increase or decrease the size of the cache, you can set a

new value through this tunable: