NAME
sediff - SELinux policy difference tool
SYNOPSIS
sediff [OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY
DESCRIPTION
sediff allows the user to inspect the semantic differences between two
SELinux policies.
POLICY
sediff supports loading SELinux policies in one of four formats.
source A single text file containing policy source for versions 12
through 21. This file is usually named policy.conf.
binary A single file containing a monolithic kernel binary policy for
versions 15 through 21. This file is usually named by version -
for example, policy.20.
modular
A list of policy packages each containing a loadable policy
module. The first module listed must be a base module.
policy list
A single text file containing all the information needed to load
a policy, usually exported by SETools graphical utilities.
Policies do not need to be the same format. If not provided sediff will
print an error message and exit.
EXPRESSIONS
The user may specify an expression listing the policy elements to
differentiate. If not provided, all supported policy elements sans
neverallows are examined.
-c, --class
Find differences in permissions assigned to object classes and
common permission sets.
--level
Find differences in categories authorized for MLS levels.
--category
Find differences in category definitions.
-t, --type
Find differences in attributes associated with types.
-a, --attribute
Find differences in types assigned to attributes.
-r, --role
Find differences in types authorized for roles.
-u, --user
Find differences in roles authorized for users.
-b, --bool
Find differences in the default values of booleans.
-A, --allow
Find differences in allow rules.
--auditallow
Find differences in auditallow rules.
--dontaudit
Find differences in dontaudit rules.
--neverallow
Find differences in neverallow rules.
--type_trans
Find differences in type_transition rules.
--type_member
Find differences in type_member rules.
--type_change
Find differences in type_change rules.
--role_trans
Find differences in role_transition rules. This includes
differences in the default role.
--role_allows
Find differences in role allow rules.
--range_trans
Find differences in range_transition rules. This includes
differences in the target MLS range.
OPTIONS
-q, --quiet
If there are no differences for elements of a given kind,
suppress status output for that kind of element.
--stats
Print difference statistics only.
-h, --help
Print help information and exit.
-V, --version
Print version information and exit.
DIFFERENCES
sediff categorizes differences in policy elements into one of three
forms.
added The element exists only in the modified policy.
removed
The element exists only in the original policy.
modified
The element exists in both policies but its semantic
meaning has changed. For example, a class is modified if
one or more permissions are added or removed.
For all rules with types as their source or target, two additional
forms of difference are recognized. This helps distinguish differences
due to new types from differences in rules for existing types.
added, new type
The rule exists only in the modified policy; furthermore,
one or more of the types in the rule do not exist in the
original policy.
removed, missing type
The rule exists only in the original policy; furthermore,
one or more of the types in the rule do not exist in the
modified policy.
NOTE
Most shells interpret the semicolon as a metacharacter, thus requiring
a backslash like so: sediff original.policy \; modified.policy
AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT
Copyright(C) 2004-2007 Tresys Technology, LLC
BUGS
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO
sediffx(1)
sediff(1)