sediff man page

sediff — SELinux policy difference tool

Synopsis

sediff [Options] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY

Description

sediff allows the user to inspect the semantic differences between two SELinux policies.

Policy

sediff supports loading SELinux policies in one of four formats.

source
A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf.
binary
A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20.
modular
A list of policy packages each containing a loadable policy module. The first module listed must be a base module.
policy list
A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities.

Policies do not need to be the same format. If not provided sediff will print an error message and exit.

Expressions

The user may specify an expression listing the policy elements to differentiate. If not provided, all supported policy elements sans neverallows are examined.

-c, --class
Find differences in permissions assigned to object classes and common permission sets.
--level
Find differences in categories authorized for MLS levels.
--category
Find differences in category definitions.
-t, --type
Find differences in attributes associated with types.
-a, --attribute
Find differences in types assigned to attributes.
-r, --role
Find differences in types authorized for roles.
-u, --user
Find differences in roles authorized for users.
-b, --bool
Find differences in the default values of booleans.
-A, --allow
Find differences in allow rules.
--auditallow
Find differences in auditallow rules.
--dontaudit
Find differences in dontaudit rules.
--neverallow
Find differences in neverallow rules.
--type_trans
Find differences in type_transition rules.
--type_member
Find differences in type_member rules.
--type_change
Find differences in type_change rules.
--role_trans
Find differences in role_transition rules. This includes differences in the default role.
--role_allow
Find differences in role allow rules.
--range_trans
Find differences in range_transition rules. This includes differences in the target MLS range.

Options

-q, --quiet
If there are no differences for elements of a given kind, suppress status output for that kind of element.
--stats
Print difference statistics only.
-h, --help
Print help information and exit.
-V, --version
Print version information and exit.

Differences

sediff categorizes differences in policy elements into one of three forms.

added
The element exists only in the modified policy.
removed
The element exists only in the original policy.
modified
The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed.

For all rules with types as their source or target, two additional forms of difference are recognized. This helps distinguish differences due to new types from differences in rules for existing types.

added, new type
The rule exists only in the modified policy; furthermore, one or more of the types in the rule do not exist in the original policy.
removed, missing type
The rule exists only in the original policy; furthermore, one or more of the types in the rule do not exist in the modified policy.

Note

Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like so: sediff original.policy \; modified.policy

Author

This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

Bugs

Please report bugs via an email to setools-bugs@tresys.com.

See Also

sediffx(1)

Info