sediff(1)

1sediff(1)           SETools: SELinux Policy Analysis Tools           sediff(1)
2
3
4

NAME

6       sediff - SELinux policy difference tool
7
8

SYNOPSIS

10       sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2
11
12

DESCRIPTION

14       Determine the differences between two SELinux policies.
15
16

POLICY

18       A single file containing a binary policy. This file is usually named by
19       version on Linux systems, for example, policy.30. This file is  usually
20       named  sepolicy on Android systems.  If not provided, sediff will print
21       an error message and exit.
22
23

EXPRESSIONS

25       The user may specify an expression listing the policy elements to  dif‐
26       ferentiate.   If  not provided, all supported policy elements are exam‐
27       ined.
28
29   Component Differences
30       --common
31              Find differences in common permission sets.
32
33       -c, --class
34              Find differences in object classes.
35
36       -t, --type
37              Find differences in attributes associated with types.
38
39       -a, --attribute
40              Find differences in types assigned to attributes.
41
42       -r, --role
43              Find differences in types authorized for roles.
44
45       -u, --user
46              Find differences in roles authorized for users.
47
48       -b, --bool
49              Find differences in the default values of booleans.
50
51       --sensitivity
52              Find differences in sensitivity definitions.
53
54       --category
55              Find differences in category definitions.
56
57       --level
58              Find differences in MLS level definitions.
59
60
61   Type Enforcement Rule Differences
62       -A     Find differences in allow and allowxperm rules.
63
64       --allow
65              Find differences in allow rules.
66
67       --auditallow
68              Find differences in auditallow rules.
69
70       --dontaudit
71              Find differences in dontaudit rules.
72
73       --allowxperm
74              Find differences in allowxperm rules.
75
76       --auditallowxperm
77              Find differences in auditallowxperm rules.
78
79       --dontauditxperm
80              Find differences in dontauditxperm rules.
81
82       -T, --type_trans
83              Find differences in type_transition rules.
84
85       --type_member
86              Find differences in type_member rules.
87
88       --type_change
89              Find differences in type_change rules.
90
91
92   RBAC Rule Differences
93       --role_allow
94              Find differences in role allow rules.
95
96       --role_trans
97              Find differences in role_transition rules.
98
99
100   MLS Rule Differences
101       --range_trans
102              Find differences in range_transition rules.
103
104
105   Constraint Differences
106       --constrain
107              Find differences in constrain rules.
108
109       --mlsconstrain
110              Find differences in mlsconstrain rules.
111
112       --validatetrans
113              Find differences in validatetrans rules.
114
115       --mlsvalidatetrans
116              Find differences in mlsvalidatetrans rules.
117
118
119   Labeling Statement Differences
120       --ibendportcon
121              Find differences in ibendportcon  (InfiniBand  endport  context)
122              statements.
123
124       --ibpkeycon
125              Find  differences in ibpkeycon (InfiniBand parition key context)
126              statements.
127
128       --initialsid
129              Find differences in initial SID statements.
130
131       --fs_use
132              Find differences in fs_use_* statements.
133
134       --genfscon
135              Find differences in genfscon statements.
136
137       --netifcon
138              Find differences in netifcon statements.
139
140       --nodecon
141              Find differences in nodecon statements.
142
143       --portcon
144              Find differences in portcon statements.
145
146
147   Other Differences
148       --default
149              Find differences in default_* statements.
150
151       --property
152              Find differences in policy properties. Only applicable  for  bi‐
153              nary  policies  (policy  version,  MLS enabled/disabled, unknown
154              permissions setting).
155
156       --polcap
157              Find differences in policy capabilities.
158
159       --typebounds
160              Find differences in typebound statements.
161
162

OPTIONS

164       -h, --help
165              Print help information and exit.
166
167       --stats
168              Print difference statistics only.
169
170       --version
171              Print version information and exit.
172
173       -v, --verbose
174              Print additional informational messages.
175
176       --debug
177              Enable debugging output.
178
179

DIFFERENCES

181       sediff categorizes differences in policy elements  into  one  of  three
182       forms.
183
184              added  The element exists only in the modified policy.
185
186              removed
187                     The element exists only in the original policy.
188
189              modified
190                     The  element  exists  in  both  policies but its semantic
191                     meaning has changed.  For example, a class is modified if
192                     one or more permissions are added or removed.
193

EXAMPLE

195       Show differences in boolean settings
196       # sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
197       Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
198       #sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33
199
200
201

AUTHOR

203       Chris PeBenito <pebenito@ieee.org>
204
205

BUGS

207       Please     report     bugs     via    the    SETools    bug    tracker,
208       https://github.com/SELinuxProject/setools/issues
209
210