pragmatism first

SEDIFF(1) - Linux manual page online | User commands

SELinux policy difference tool.

Chapters
2016-04-19
sediff(1) SETools: SELinux Policy Analysis Tools sediff(1)

NAME

sediff - SELinux policy difference tool

SYNOPSIS

sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2

DESCRIPTION

Determine the differences between two SELinux policies.

POLICY

sediff supports loading SELinux policies in one of two formats. source: A single text file containing a monolithic policy source. This file is usu‐ ally named policy.conf. binary: A single file containing a binary policy. This file is usually named by ver‐ sion on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. Policies do not need to be the same format. If not provided, sediff will print an error message and exit.

EXPRESSIONS

The user may specify an expression listing the policy elements to differentiate. If not provided, all supported policy elements are examined. Component Differences --common Find differences in common permission sets. -c, --class Find differences in object classes. -t, --type Find differences in attributes associated with types. -a, --attribute Find differences in types assigned to attributes. -r, --role Find differences in types authorized for roles. -u, --user Find differences in roles authorized for users. -b, --bool Find differences in the default values of booleans. --sensitivity Find differences in sensitivity definitions. --category Find differences in category definitions. --level Find differences in MLS level definitions. Type Enforcement Rule Differences -A Find differences in allow and allowxperm rules. --allow Find differences in allow rules. --auditallow Find differences in auditallow rules. --dontaudit Find differences in dontaudit rules. --neverallow Find differences in neverallow rules. --allowxperm Find differences in allowxperm rules. --auditallowxperm Find differences in auditallowxperm rules. --dontauditxperm Find differences in dontauditxperm rules. --neverallowxperm Find differences in neverallowxperm rules. -T, --type_trans Find differences in type_transition rules. --type_member Find differences in type_member rules. --type_change Find differences in type_change rules. RBAC Rule Differences --role_allow Find differences in role allow rules. --role_trans Find differences in role_transition rules. MLS Rule Differences --range_trans Find differences in range_transition rules. Constraint Differences --constrain Find differences in constrain rules. --mlsconstrain Find differences in mlsconstrain rules. --validatetrans Find differences in validatetrans rules. --mlsvalidatetrans Find differences in mlsvalidatetrans rules. Labeling Statement Differences --initialsid Find differences in initial SID statements. --fs_use Find differences in fs_use_* statements. --genfscon Find differences in genfscon statements. --netifcon Find differences in netifcon statements. --nodecon Find differences in nodecon statements. --portcon Find differences in portcon statements. Other Differences --default Find differences in default_* statements. --property Find differences in policy properties. Only applicable for binary policies (policy version, MLS enabled/disabled, unknown permissions setting). --polcap Find differences in policy capabilities. --typebounds Find differences in typebound statements.

OPTIONS

-h, --help Print help information and exit. --stats Print difference statistics only. --version Print version information and exit. -v, --verbose Print additional informational messages. --debug Enable debugging output.

DIFFERENCES

sediff categorizes differences in policy elements into one of three forms. added The element exists only in the modified policy. removed The element exists only in the original policy. modified The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed.

AUTHOR

Chris PeBenito <@tresys.com>

BUGS

Please report bugs via the SETools bug tracker, https://github.com/TresysTechnol‐ ogy/setools/issues

SEE ALSO

apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
Tresys Technology, LLC 2016-04-19 sediff(1)
This manual Reference Other manuals
sediff(1) referred by apol(1) | sedta(1) | seinfo(1) | seinfoflow(1) | sesearch(1)
refer to apol(1) | sedta(1) | seinfo(1) | seinfoflow(1) | sesearch(1)
Find manuals
Go top