sediff - Man Page

SELinux policy difference tool

Synopsis

sediff [Options] [EXPRESSION] POLICY1 POLICY2

Description

Determine the differences between two SELinux policies.

A single file containing a binary policy. This file is usually named by version on Linux systems, for example, policy.30. This file is usually named sepolicy on Android systems. If not provided, sediff will print an error message and exit.

Expressions

The user may specify an expression listing the policy elements to differentiate. If not provided, all supported policy elements are examined.

Component Differences

--common: Find differences in common permission sets.
-c, --class: Find differences in object classes.
-t, --type: Find differences in attributes associated with types.
-a, --attribute: Find differences in types assigned to attributes.
-r, --role: Find differences in types authorized for roles.
-u, --user: Find differences in roles authorized for users.
-b, --bool: Find differences in the default values of booleans.
--sensitivity: Find differences in sensitivity definitions.
--category: Find differences in category definitions.
--level: Find differences in MLS level definitions.

Type Enforcement Rule Differences

-A: Find differences in allow and allowxperm rules.
--allow: Find differences in allow rules.
--auditallow: Find differences in auditallow rules.
--dontaudit: Find differences in dontaudit rules.
--allowxperm: Find differences in allowxperm rules.
--auditallowxperm: Find differences in auditallowxperm rules.
--dontauditxperm: Find differences in dontauditxperm rules.
-T, --type_trans: Find differences in type_transition rules.
--type_member: Find differences in type_member rules.
--type_change: Find differences in type_change rules.

RBAC Rule Differences

--role_allow: Find differences in role allow rules.
--role_trans: Find differences in role_transition rules.

MLS Rule Differences

--range_trans: Find differences in range_transition rules.

Constraint Differences

--constrain: Find differences in constrain rules.
--mlsconstrain: Find differences in mlsconstrain rules.
--validatetrans: Find differences in validatetrans rules.
--mlsvalidatetrans: Find differences in mlsvalidatetrans rules.

Labeling Statement Differences

--ibendportcon: Find differences in ibendportcon (InfiniBand endport context) statements.
--ibpkeycon: Find differences in ibpkeycon (InfiniBand parition key context) statements.
--initialsid: Find differences in initial SID statements.
--fs_use: Find differences in fs_use_* statements.
--genfscon: Find differences in genfscon statements.
--netifcon: Find differences in netifcon statements.
--nodecon: Find differences in nodecon statements.
--portcon: Find differences in portcon statements.

Other Differences

--default: Find differences in default_* statements.
--property: Find differences in policy properties. Only applicable for binary policies (policy version, MLS enabled/disabled, unknown permissions setting).
--polcap: Find differences in policy capabilities.
--typebounds: Find differences in typebound statements.

Options

-h, --help: Print help information and exit.
--stats: Print difference statistics only.
--version: Print version information and exit.
-v, --verbose: Print additional informational messages.
--debug: Enable debugging output.

Differences

sediff categorizes differences in policy elements into one of three forms.

added: The element exists only in the modified policy.
removed: The element exists only in the original policy.
modified: The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed.

Example

Show differences in boolean settings
# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33