1#!@@GOODSH@@ 2# 3# Plugin to monitor SELinux Access Vector Cache (AVC). 4# 5# config (required) 6# autoconf (optional - used by munin-config) 7# 8# GNU GPL, Lars Strand 9# 10# 11# Magic markers (used by munin-config and some installation scripts (i.e. 12# optional)): 13#%# family=auto 14#%# capabilities=autoconf 15 16 17if [ -r /selinux/avc/cache_stats ]; then 18 AVCSTATS="/selinux/avc/cache_stats" 19else 20 AVCSTATS="/sys/fs/selinux/avc/cache_stats" 21fi 22 23if [ "$1" = "autoconf" ]; then 24 if [ -r "$AVCSTATS" ]; then 25 echo yes 26 else 27 echo "no (missing $AVCSTATS file)" 28 fi 29 exit 0 30fi 31 32if [ "$1" = "config" ]; then 33 34 echo "graph_title SELinux Access Vector Cache" 35 echo 'graph_args -l 0 --base 1000' 36 echo 'graph_vlabel AVC operations' 37 echo 'graph_category system' 38 echo 'graph_order lookups hits misses allocations reclaims frees' 39 40 echo 'lookups.label lookups' 41 echo 'lookups.type DERIVE' 42 echo 'lookups.min 0' 43 echo 'lookups.max 1000000000' 44 echo 'lookups.draw AREA' 45 echo 'lookups.colour ff0000' # Red 46 echo 'lookups.info Number of access vector lookups. This number is a good indicator of the load beeing placed on the AVC.' 47 48 echo 'hits.label hits' 49 echo 'hits.type DERIVE' 50 echo 'hits.min 0' 51 echo 'hits.max 1000000000' 52 echo 'hits.draw STACK' 53 echo 'hits.colour 0022ff' # Blue 54 echo 'hits.info Number of access vector hits.' 55 56 echo 'misses.label misses' 57 echo 'misses.type DERIVE' 58 echo 'misses.min 0' 59 echo 'misses.max 1000000000' 60 echo 'misses.draw STACK' 61 echo 'misses.colour 990000' # Darker red 62 echo 'misses.info Number of cache misses.' 63 64 echo 'allocations.label allocations' 65 echo 'allocations.type DERIVE' 66 echo 'allocations.min 0' 67 echo 'allocations.max 100000000' 68 echo 'allocations.draw STACK' 69 echo 'allocations.colour ffa500' # Orange 70 echo 'allocations.info Number of AVC entries allocated.' 71 72 echo 'reclaims.label reclaims' 73 echo 'reclaims.type DERIVE' 74 echo 'reclaims.min 0' 75 echo 'reclaims.max 1000000000' 76 echo 'reclaims.draw STACK' 77 echo 'reclaims.colour 00aaaa' # Darker turquoise 78 echo 'reclaims.info Number of current total reclaimed AVC entries. If this keeps changing, you may need to increase the cache size (/selinux/avc/cache_threshold).' 79 80 echo 'frees.label frees' 81 echo 'frees.type DERIVE' 82 echo 'frees.min 0' 83 echo 'frees.max 1000000000' 84 echo 'frees.draw STACK' 85 echo 'frees.colour 00ff7f' # Spring green 86 echo 'frees.info Number of free AVC entries.' 87 88 exit 0 89fi 90 91if [ -r "$AVCSTATS" ]; then 92 { 93 # consume (and ignore) the header 94 # shellcheck disable=SC2034 95 read -r HEADER 96 while read -r lookups hits misses allocations reclaims frees; do 97 LOOKUPS=$((LOOKUPS + lookups)) 98 HITS=$((HITS + hits)) 99 MISSES=$((MISSES + misses)) 100 ALLOCATIONS=$((ALLOCATIONS + allocations)) 101 RECLAIMS=$((RECLAIMS + reclaims)) 102 FREES=$((FREES + frees)) 103 done 104 } < "$AVCSTATS" 105 echo "lookups.value $LOOKUPS" 106 echo "hits.value $HITS" 107 echo "misses.value $MISSES" 108 echo "allocations.value $ALLOCATIONS" 109 echo "reclaims.value $RECLAIMS" 110 echo "frees.value $FREES" 111else 112 echo "lookups.value U" 113 echo "hits.value U" 114 echo "misses.value U" 115 echo "allocations.value U" 116 echo "reclaims.value U" 117 echo "frees.value U" 118fi 119