1sediff(1)           SETools: SELinux Policy Analysis Tools           sediff(1)
2
3
4

NAME

6       sediff - SELinux policy difference tool
7
8

SYNOPSIS

10       sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2
11
12

DESCRIPTION

14       Determine the differences between two SELinux policies.
15
16

POLICY

18       sediff supports loading SELinux policies in one of two formats.
19
20              source:
21                     A single text file containing a monolithic policy source.
22                     This file is usually named policy.conf.
23
24              binary:
25                     A single file containing a binary policy.  This  file  is
26                     usually  named  by version on Linux systems, for example,
27                     policy.30. This file is usually named sepolicy on Android
28                     systems.
29
30       Policies  do  not  need  to be the same format. If not provided, sediff
31       will print an error message and exit.
32
33

EXPRESSIONS

35       The user may specify an expression listing the policy elements to  dif‐
36       ferentiate.   If  not provided, all supported policy elements are exam‐
37       ined.
38
39   Component Differences
40       --common
41              Find differences in common permission sets.
42
43       -c, --class
44              Find differences in object classes.
45
46       -t, --type
47              Find differences in attributes associated with types.
48
49       -a, --attribute
50              Find differences in types assigned to attributes.
51
52       -r, --role
53              Find differences in types authorized for roles.
54
55       -u, --user
56              Find differences in roles authorized for users.
57
58       -b, --bool
59              Find differences in the default values of booleans.
60
61       --sensitivity
62              Find differences in sensitivity definitions.
63
64       --category
65              Find differences in category definitions.
66
67       --level
68              Find differences in MLS level definitions.
69
70
71   Type Enforcement Rule Differences
72       -A     Find differences in allow and allowxperm rules.
73
74       --allow
75              Find differences in allow rules.
76
77       --auditallow
78              Find differences in auditallow rules.
79
80       --dontaudit
81              Find differences in dontaudit rules.
82
83       --neverallow
84              Find differences in neverallow rules.
85
86       --allowxperm
87              Find differences in allowxperm rules.
88
89       --auditallowxperm
90              Find differences in auditallowxperm rules.
91
92       --dontauditxperm
93              Find differences in dontauditxperm rules.
94
95       --neverallowxperm
96              Find differences in neverallowxperm rules.
97
98       -T, --type_trans
99              Find differences in type_transition rules.
100
101       --type_member
102              Find differences in type_member rules.
103
104       --type_change
105              Find differences in type_change rules.
106
107
108   RBAC Rule Differences
109       --role_allow
110              Find differences in role allow rules.
111
112       --role_trans
113              Find differences in role_transition rules.
114
115
116   MLS Rule Differences
117       --range_trans
118              Find differences in range_transition rules.
119
120
121   Constraint Differences
122       --constrain
123              Find differences in constrain rules.
124
125       --mlsconstrain
126              Find differences in mlsconstrain rules.
127
128       --validatetrans
129              Find differences in validatetrans rules.
130
131       --mlsvalidatetrans
132              Find differences in mlsvalidatetrans rules.
133
134
135   Labeling Statement Differences
136       --initialsid
137              Find differences in initial SID statements.
138
139       --fs_use
140              Find differences in fs_use_* statements.
141
142       --genfscon
143              Find differences in genfscon statements.
144
145       --netifcon
146              Find differences in netifcon statements.
147
148       --nodecon
149              Find differences in nodecon statements.
150
151       --portcon
152              Find differences in portcon statements.
153
154
155   Other Differences
156       --default
157              Find differences in default_* statements.
158
159       --property
160              Find differences  in  policy  properties.  Only  applicable  for
161              binary  policies  (policy version, MLS enabled/disabled, unknown
162              permissions setting).
163
164       --polcap
165              Find differences in policy capabilities.
166
167       --typebounds
168              Find differences in typebound statements.
169
170

OPTIONS

172       -h, --help
173              Print help information and exit.
174
175       --stats
176              Print difference statistics only.
177
178       --version
179              Print version information and exit.
180
181       -v, --verbose
182              Print additional informational messages.
183
184       --debug
185              Enable debugging output.
186
187

DIFFERENCES

189       sediff categorizes differences in policy elements  into  one  of  three
190       forms.
191
192              added  The element exists only in the modified policy.
193
194              removed
195                     The element exists only in the original policy.
196
197              modified
198                     The  element  exists  in  both  policies but its semantic
199                     meaning has changed.  For example, a class is modified if
200                     one or more permissions are added or removed.
201

AUTHOR

203       Chris PeBenito <cpebenito@tresys.com>
204
205

BUGS

207       Please     report     bugs     via    the    SETools    bug    tracker,
208       https://github.com/TresysTechnology/setools/issues
209
210

SEE ALSO

212       apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
213
214
215
216Tresys Technology, LLC            2016-04-19                         sediff(1)
Impressum