1sediff(1) General Commands Manual sediff(1)
2
6 sediff - SELinux policy difference tool
7
9 sediff [OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY
10
12 sediff allows the user to inspect the semantic differences between two
13 SELinux policies.
14
16 sediff supports loading SELinux policies in one of four formats.
17 source A single text file containing policy source for versions 12
19 through 21. This file is usually named policy.conf.
20 binary A single file containing a monolithic kernel binary policy for
22 versions 15 through 21. This file is usually named by version -
23 for example, policy.20.
24 modular
26 A list of policy packages each containing a loadable policy mod‐
27 ule. The first module listed must be a base module.
28 policy list
30 A single text file containing all the information needed to load
31 a policy, usually exported by SETools graphical utilities.
32 Policies do not need to be the same format. If not provided sediff will
34 print an error message and exit.
35
37 The user may specify an expression listing the policy elements to dif‐
38 ferentiate. If not provided, all supported policy elements sans never‐
39 allows are examined.
40 -c, --class
42 Find differences in permissions assigned to object classes and
43 common permission sets.
44 --level
46 Find differences in categories authorized for MLS levels.
47 --category
49 Find differences in category definitions.
50 -t, --type
52 Find differences in attributes associated with types.
53 -a, --attribute
55 Find differences in types assigned to attributes.
56 -r, --role
58 Find differences in types authorized for roles.
59 -u, --user
61 Find differences in roles authorized for users.
62 -b, --bool
64 Find differences in the default values of booleans.
65 -A, --allow
67 Find differences in allow rules.
68 --auditallow
70 Find differences in auditallow rules.
71 --dontaudit
73 Find differences in dontaudit rules.
74 --neverallow
76 Find differences in neverallow rules.
77 --type_trans
79 Find differences in type_transition rules.
80 --type_member
82 Find differences in type_member rules.
83 --type_change
85 Find differences in type_change rules.
86 --role_trans
88 Find differences in role_transition rules. This includes dif‐
89 ferences in the default role.
90 --role_allow
92 Find differences in role allow rules.
93 --range_trans
95 Find differences in range_transition rules. This includes dif‐
96 ferences in the target MLS range.
97
99 -q, --quiet
100 If there are no differences for elements of a given kind, sup‐
101 press status output for that kind of element.
102 --stats
104 Print difference statistics only.
105 -h, --help
107 Print help information and exit.
108 -V, --version
110 Print version information and exit.
111
113 sediff categorizes differences in policy elements into one of three
114 forms.
115 added The element exists only in the modified policy.
117 removed
119 The element exists only in the original policy.
120 modified
122 The element exists in both policies but its semantic
123 meaning has changed. For example, a class is modified if
124 one or more permissions are added or removed.
125 For all rules with types as their source or target, two additional
127 forms of difference are recognized. This helps distinguish differences
128 due to new types from differences in rules for existing types.
129 added, new type
131 The rule exists only in the modified policy; furthermore,
132 one or more of the types in the rule do not exist in the
133 original policy.
134 removed, missing type
136 The rule exists only in the original policy; furthermore,
137 one or more of the types in the rule do not exist in the
138 modified policy.
139
141 Most shells interpret the semicolon as a metacharacter, thus requiring
142 a backslash like so: sediff original.policy \; modified.policy
143
145 This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
146
148 Copyright(C) 2004-2007 Tresys Technology, LLC
149
151 Please report bugs via an email to setools-bugs@tresys.com.
152
154 sediffx(1)
155 sediff(1)