6.4. Performance Tuning

The major performance hit that SELinux can make on the system is in the kernel, where the hooks used through LSM divert the kernel flow into the AVC. Usually, the working set of cached permissions used in normal system operations is relatively small, fewer than 100 AVC entries for most systems with a focused mission. SELinux maintains up to 512 entries in the cache, and does not usually need to perform additional lookups outside of that cache.

If you suspect you are having performance problems due to SELinux or you generally want to fine tune your system, you can monitor the AVC through the /selinux file system. The first file, /selinux/avc/hash_stats, shows the number of entries, the number of hash buckets used by the entries, and the length of the longest hash chain:

cat /selinux/avc/hash_stats
entries: 521                # total number of AVC entries
buckets used: 285/512       # total number of buckets
longest chain: 6            # hash chain of less than 10 is
                            # optimal

If your hash chains are growing to be larger than 10, there may be a performance impact. You can consider reducing the size of the cache. To increase or decrease the size of the cache, you can set a new value through this tunable:

cat /selinux/avc/cache_threshold
512
echo 768 > /selinux/avc/cache_threshold

# Check to be sure the change took hold.  Be sure you are 
# root when using the targeted policy.

cat /selinux/avc/cache_threshold
768

	Caution
	The default value of 512 for the cache threshold in Red Hat Enterprise Linux is set from extensive optimization benchmarking. Changing this value could have negative effects on system performance.

To be sure adjusting the cache limit is having positive effects on your performance, watch the number of reclaimed cache entries. Stale cache entries can build up following boot or long after daemon startup, which requires reclaiming entries when more are required for new processes. If you have a system where there are a high number of entries changing across a broad enough policy, this reclamation may occur more often and effect system performance. You can watch the reclaims column in the output of avcstat using the -c option, which displays the cumulative values:

avcstat -c 1
... reclaims ...
...      800 ...
...      830 ...
...      876 ...
...      912 ...
...      955 ...
...      992 ...
     

Occasional reclaim activity is within the bounds of normal, and it may increase when changing workloads. Excessive reclaims over a sustained period of time should be looked into.