Man Linux: Main Page and Category List

NAME

       sediff - SELinux policy difference tool

SYNOPSIS

       sediff [OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY

DESCRIPTION

       sediff  allows the user to inspect the semantic differences between two
       SELinux policies.

POLICY

       sediff supports loading SELinux policies in one of four formats.

       source A single text file containing  policy  source  for  versions  12
              through 21. This file is usually named policy.conf.

       binary A  single  file containing a monolithic kernel binary policy for
              versions 15 through 21. This file is usually named by version  -
              for example, policy.20.

       modular
              A  list  of  policy  packages  each containing a loadable policy
              module. The first module listed must be a base module.

       policy list
              A single text file containing all the information needed to load
              a policy, usually exported by SETools graphical utilities.

       Policies do not need to be the same format. If not provided sediff will
       print an error message and exit.

EXPRESSIONS

       The user may specify an  expression  listing  the  policy  elements  to
       differentiate.   If  not  provided,  all supported policy elements sans
       neverallows are examined.

       -c, --class
              Find differences in permissions assigned to object  classes  and
              common permission sets.

       --level
              Find differences in categories authorized for MLS levels.

       --category
              Find differences in category definitions.

       -t, --type
              Find differences in attributes associated with types.

       -a, --attribute
              Find differences in types assigned to attributes.

       -r, --role
              Find differences in types authorized for roles.

       -u, --user
              Find differences in roles authorized for users.

       -b, --bool
              Find differences in the default values of booleans.

       -A, --allow
              Find differences in allow rules.

       --auditallow
              Find differences in auditallow rules.

       --dontaudit
              Find differences in dontaudit rules.

       --neverallow
              Find differences in neverallow rules.

       --type_trans
              Find differences in type_transition rules.

       --type_member
              Find differences in type_member rules.

       --type_change
              Find differences in type_change rules.

       --role_trans
              Find   differences  in  role_transition  rules.   This  includes
              differences in the default role.

       --role_allows
              Find differences in role allow rules.

       --range_trans
              Find  differences  in  range_transition  rules.   This  includes
              differences in the target MLS range.

OPTIONS

       -q, --quiet
              If  there  are  no  differences  for  elements  of a given kind,
              suppress status output for that kind of element.

       --stats
              Print difference statistics only.

       -h, --help
              Print help information and exit.

       -V, --version
              Print version information and exit.

DIFFERENCES

       sediff categorizes differences in policy elements  into  one  of  three
       forms.

              added  The element exists only in the modified policy.

              removed
                     The element exists only in the original policy.

              modified
                     The  element  exists  in  both  policies but its semantic
                     meaning has changed.  For example, a class is modified if
                     one or more permissions are added or removed.

       For  all  rules  with  types  as their source or target, two additional
       forms of difference are recognized.  This helps distinguish differences
       due to new types from differences in rules for existing types.

              added, new type
                     The rule exists only in the modified policy; furthermore,
                     one or more of the types in the rule do not exist in  the
                     original policy.

              removed, missing type
                     The rule exists only in the original policy; furthermore,
                     one or more of the types in the rule do not exist in  the
                     modified policy.

NOTE

       Most  shells interpret the semicolon as a metacharacter, thus requiring
       a backslash like so: sediff original.policy \; modified.policy

AUTHOR

       This manual page was written by Jeremy A. Mowery  <jmowery@tresys.com>.

COPYRIGHT

       Copyright(C) 2004-2007 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       sediffx(1)

                                                                     sediff(1)