1sediff(1)           SETools: SELinux Policy Analysis Tools           sediff(1)
2
3
4

NAME

6       sediff - SELinux policy difference tool
7
8

SYNOPSIS

10       sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2
11
12

DESCRIPTION

14       Determine the differences between two SELinux policies.
15
16

POLICY

18       A single file containing a binary policy. This file is usually named by
19       version on Linux systems, for example, policy.30. This file is  usually
20       named  sepolicy on Android systems.  If not provided, sediff will print
21       an error message and exit.
22
23

EXPRESSIONS

25       The user may specify an expression listing the policy elements to  dif‐
26       ferentiate.   If  not provided, all supported policy elements are exam‐
27       ined.
28
29   Component Differences
30       --common
31              Find differences in common permission sets.
32
33       -c, --class
34              Find differences in object classes.
35
36       -t, --type
37              Find differences in attributes associated with types.
38
39       -a, --attribute
40              Find differences in types assigned to attributes.
41
42       -r, --role
43              Find differences in types authorized for roles.
44
45       -u, --user
46              Find differences in roles authorized for users.
47
48       -b, --bool
49              Find differences in the default values of booleans.
50
51       --sensitivity
52              Find differences in sensitivity definitions.
53
54       --category
55              Find differences in category definitions.
56
57       --level
58              Find differences in MLS level definitions.
59
60
61   Type Enforcement Rule Differences
62       -A     Find differences in allow and allowxperm rules.
63
64       --allow
65              Find differences in allow rules.
66
67       --auditallow
68              Find differences in auditallow rules.
69
70       --dontaudit
71              Find differences in dontaudit rules.
72
73       --neverallow
74              Find differences in neverallow rules.
75
76       --allowxperm
77              Find differences in allowxperm rules.
78
79       --auditallowxperm
80              Find differences in auditallowxperm rules.
81
82       --dontauditxperm
83              Find differences in dontauditxperm rules.
84
85       --neverallowxperm
86              Find differences in neverallowxperm rules.
87
88       -T, --type_trans
89              Find differences in type_transition rules.
90
91       --type_member
92              Find differences in type_member rules.
93
94       --type_change
95              Find differences in type_change rules.
96
97
98   RBAC Rule Differences
99       --role_allow
100              Find differences in role allow rules.
101
102       --role_trans
103              Find differences in role_transition rules.
104
105
106   MLS Rule Differences
107       --range_trans
108              Find differences in range_transition rules.
109
110
111   Constraint Differences
112       --constrain
113              Find differences in constrain rules.
114
115       --mlsconstrain
116              Find differences in mlsconstrain rules.
117
118       --validatetrans
119              Find differences in validatetrans rules.
120
121       --mlsvalidatetrans
122              Find differences in mlsvalidatetrans rules.
123
124
125   Labeling Statement Differences
126       --initialsid
127              Find differences in initial SID statements.
128
129       --fs_use
130              Find differences in fs_use_* statements.
131
132       --genfscon
133              Find differences in genfscon statements.
134
135       --netifcon
136              Find differences in netifcon statements.
137
138       --nodecon
139              Find differences in nodecon statements.
140
141       --portcon
142              Find differences in portcon statements.
143
144
145   Other Differences
146       --default
147              Find differences in default_* statements.
148
149       --property
150              Find differences  in  policy  properties.  Only  applicable  for
151              binary  policies  (policy version, MLS enabled/disabled, unknown
152              permissions setting).
153
154       --polcap
155              Find differences in policy capabilities.
156
157       --typebounds
158              Find differences in typebound statements.
159
160

OPTIONS

162       -h, --help
163              Print help information and exit.
164
165       --stats
166              Print difference statistics only.
167
168       --version
169              Print version information and exit.
170
171       -v, --verbose
172              Print additional informational messages.
173
174       --debug
175              Enable debugging output.
176
177

DIFFERENCES

179       sediff categorizes differences in policy elements  into  one  of  three
180       forms.
181
182              added  The element exists only in the modified policy.
183
184              removed
185                     The element exists only in the original policy.
186
187              modified
188                     The  element  exists  in  both  policies but its semantic
189                     meaning has changed.  For example, a class is modified if
190                     one or more permissions are added or removed.
191

AUTHOR

193       Chris PeBenito <pebenito@ieee.org>
194
195

BUGS

197       Please     report     bugs     via    the    SETools    bug    tracker,
198       https://github.com/SELinuxProject/setools/issues
199
200

SEE ALSO

202       apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
203
204
205
206SELinux Project                   2016-04-19                         sediff(1)
Impressum