| FAPOLICYD.METRICS(5) | File Formats | FAPOLICYD.METRICS(5) |
NAME¶
fapolicyd.metrics - fapolicyd runtime metrics report file
DESCRIPTION¶
The /run/fapolicyd/fapolicyd.metrics file contains the most recent daemon metrics report requested through fapolicyd-cli --check-metrics, fapolicyd-cli --reset-metrics, or periodic interval reporting.
The metrics report answers where runtime hot paths and cache effects are. The state report, written to /run/fapolicyd/fapolicyd.state, answers whether the daemon is healthy and configured as expected. Each field is printed as a name: value line. Section headers end in a colon.
HEADER¶
- Last metrics reset
- The wall-clock time of the last successful metrics reset, or never when metrics have not been reset since daemon start. Reset reports show the counter window that is about to be reset; later metrics reports show the new reset time.
- Ruleset generation
- The active ruleset generation that the counters and rule hit table apply to.
Decision outcomes¶
- Allowed accesses
- The number of policy decisions that allowed access.
- Denied accesses
- The number of policy decisions that denied access.
- Allowed by rule
- The number of allow decisions produced by a matching rule.
- Allowed by fallthrough
- The number of allow decisions produced when no rule had an opinion and the daemon used the default allow behavior. Detailed fallthrough dimensions are printed when this value is non-zero.
Inter-thread queue & defer activity¶
- Inter-thread max queue depth
- The highest internal event queue depth observed since the last metrics reset.
- Subject deferred events
- The cumulative number of fanotify permission events deferred since the last metrics reset because another process was still building subject pattern state in the same cache slot.
- Subject defer max depth
- The highest number of concurrently deferred subject events observed since the last metrics reset.
- Subject defer fallbacks
- The cumulative number of defer-array-full fallbacks since the last metrics reset. This field also appears in the state report because non-zero values are health indicators.
Subject cache effectiveness¶
- Subject hits
- The number of subject cache hits.
- Subject misses
- The number of subject cache misses.
- Subject collisions
- The number of populated subject cache slots whose full process identity did not match the current event and therefore had to be evicted before reuse.
- Subject evictions
- The number of subject cache evictions and the eviction percentage relative to subject cache hits.
- Early subject cache evictions
- The number of subject cache entries evicted before process startup state was complete. This field also appears in the state report because non-zero values are health indicators.
- Subject BUILDING tracer evictions
- The number of BUILDING subject cache entries evicted because the owning process was traced and could hold the slot indefinitely. This field also appears in the state report because non-zero values are health indicators.
- Subject BUILDING stale evictions
- The number of BUILDING subject cache entries evicted because their startup state stayed incomplete past the bounded stale window. This field also appears in the state report because non-zero values are health indicators.
Object cache effectiveness¶
- Object hits
- The number of object cache hits.
- Object misses
- The number of object cache misses.
- Object collisions
- The number of populated object cache slots whose full file identity did not match the current event and therefore had to be evicted before reuse.
- Object evictions
- The number of object cache evictions and the eviction percentage relative to object cache hits.
Rule hit counts¶
- Hits/rule
- One line per configured rule in rule order. The line includes the one-based rule number, hit count, and rule text. Rule hit counters are naturally scoped to the active ruleset generation and start at zero when a new ruleset is loaded. A metrics reset also clears the counters after reporting them, which allows focused tests against the currently loaded rules without forcing a rule reload.
Subject attribute lookups¶
- Subject attr
- One line is printed for each counted subject attribute in the form name requests=count lookups=count. The requests count increments when policy evaluation or syslog formatting asks for the attribute. The lookups count increments only when that attribute was absent from the event subject cache and fapolicyd had to compute or fetch it.
Object attribute lookups¶
- Object attr
- One line is printed for each counted object attribute in the form name requests=count lookups=count. The requests count increments when policy evaluation or syslog formatting asks for the attribute. The lookups count increments only when that attribute was absent from the event object cache and fapolicyd had to compute or fetch it.
NOTES¶
Metrics resets affect counters in this report. Static configuration, current utilization snapshots, watched mounts, and health indicators are reported in fapolicyd.state(5) and are not reset by fapolicyd-cli --reset-metrics.
FILES¶
- /run/fapolicyd/fapolicyd.metrics
- Runtime metrics report file.
- /run/fapolicyd/fapolicyd.state
- Runtime state report file.
- /run/fapolicyd/fapolicyd.timing
- Manual decision timing report written when a privileged stop request ends an armed timing run, when a stop request finds timing unarmed, or when timing collection stops to avoid counter overflow.
SEE ALSO¶
fapolicyd(8), fapolicyd-cli(8), fapolicyd.conf(5), fapolicyd.rules(5), fapolicyd.state(5), fapolicyd.timing(5), and fapolicyd.trust(5).
| May 2026 | Red Hat |