sediff man page

sediff — SELinux policy difference tool

Synopsis

sediff [Options] [EXPRESSION] POLICY1 POLICY2

Description

Determine the differences between two SELinux policies.

Policy

sediff supports loading SELinux policies in one of two formats.

source:

A single text file containing a monolithic policy source. This file is usually named policy.conf.

binary:

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems.

Policies do not need to be the same format. If not provided, sediff will print an error message and exit.

Expressions

The user may specify an expression listing the policy elements to differentiate. If not provided, all supported policy elements are examined.

Component Differences

--common

Find differences in common permission sets.

-c, --class

Find differences in object classes.

-t, --type

Find differences in attributes associated with types.

-a, --attribute

Find differences in types assigned to attributes.

-r, --role

Find differences in types authorized for roles.

-u, --user

Find differences in roles authorized for users.

-b, --bool

Find differences in the default values of booleans.

--sensitivity

Find differences in sensitivity definitions.

--category

Find differences in category definitions.

--level

Find differences in MLS level definitions.

Type Enforcement Rule Differences

-A

Find differences in allow and allowxperm rules.

--allow

Find differences in allow rules.

--auditallow

Find differences in auditallow rules.

--dontaudit

Find differences in dontaudit rules.

--neverallow

Find differences in neverallow rules.

--allowxperm

Find differences in allowxperm rules.

--auditallowxperm

Find differences in auditallowxperm rules.

--dontauditxperm

Find differences in dontauditxperm rules.

--neverallowxperm

Find differences in neverallowxperm rules.

-T, --type_trans

Find differences in type_transition rules.

--type_member

Find differences in type_member rules.

--type_change

Find differences in type_change rules.

RBAC Rule Differences

--role_allow

Find differences in role allow rules.

--role_trans

Find differences in role_transition rules.

MLS Rule Differences

--range_trans

Find differences in range_transition rules.

Constraint Differences

--constrain

Find differences in constrain rules.

--mlsconstrain

Find differences in mlsconstrain rules.

--validatetrans

Find differences in validatetrans rules.

--mlsvalidatetrans

Find differences in mlsvalidatetrans rules.

Labeling Statement Differences

--initialsid

Find differences in initial SID statements.

--fs_use

Find differences in fs_use_* statements.

--genfscon

Find differences in genfscon statements.

--netifcon

Find differences in netifcon statements.

--nodecon

Find differences in nodecon statements.

--portcon

Find differences in portcon statements.

Other Differences

--default

Find differences in default_* statements.

--property

Find differences in policy properties. Only applicable for binary policies (policy version, MLS enabled/disabled, unknown permissions setting).

--polcap

Find differences in policy capabilities.

--typebounds

Find differences in typebound statements.

Options

-h, --help

Print help information and exit.

--stats

Print difference statistics only.

--version

Print version information and exit.

-v, --verbose

Print additional informational messages.

--debug

Enable debugging output.

Differences

sediff categorizes differences in policy elements into one of three forms.

added

The element exists only in the modified policy.

removed

The element exists only in the original policy.

modified

The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed.

Author

Chris PeBenito <cpebenito@tresys.com>

Bugs

Please report bugs via the SETools bug tracker, https://github.com/TresysTechnology/setools/issues

See Also

apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)

Referenced By

apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1).

2016-04-19 Tresys Technology, LLC SETools: SELinux Policy Analysis Tools