sediffx(1) [centos man page]
sediffx(1) General Commands Manual sediffx(1) NAME
sediffx - graphical SELinux policy difference tool SYNOPSIS
sediffx [-d] [ORIGINAL_POLICY ; MODIFIED_POLICY] DESCRIPTION
sediffx allows the user to graphically inspect the semantic differences between two SELinux policies. All supported policy elements are examined. POLICY
sediffx supports loading SELinux policies in one of four formats. source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. modular A list of policy packages each containing a loadable policy module. The first module listed must be a base module. policy list A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. Policies do not need to be the same format. If not provided sediffx will begin with no policies loaded. OPTIONS
-d, --diff-now Load the policies and differentiate them immediately. This option requires the user to specify the policies on the command line. -h, --help Print help information and exit. -V, --version Print version information and exit. DIFFERENCES
sediffx categorizes differences in policy elements into one of three forms. added The element exists only in the modified policy. removed The element exists only in the original policy. modified The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed. For all rules with types as their source or target, two additional forms of difference are recognized. This helps distinguish differences due to new types from differences in rules for existing types. added, new type The rule exists only in the modified policy; furthermore, one or more of the types in the rule do not exist in the original policy. removed, missing type The rule exists only in the original policy; furthermore, one or more of the types in the rule do not exist in the modified policy. NOTE
Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like so: sediffx original.policy ; modified.policy AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. COPYRIGHT
Copyright(C) 2005-2007 Tresys Technology, LLC BUGS
Please report bugs via an email to setools-bugs@tresys.com. SEE ALSO
sediff(1) sediffx(1)
Check Out this Related Man Page
seinfo(1) General Commands Manual seinfo(1) NAME
seinfo - SELinux policy query tool SYNOPSIS
seinfo [OPTIONS] [EXPRESSION] [POLICY ...] DESCRIPTION
seinfo allows the user to query the components of a SELinux policy. POLICY
seinfo supports loading a SELinux policy in one of four formats. source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. modular A list of policy packages each containing a loadable policy module. The first module listed must be a base module. policy list A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. If no policy file is provided, seinfo will search for the system default policy: checking first for a source policy, next for a binary pol- icy matching the running kernel's preferred version, and finally for the highest version that can be found. In the latter case, the policy will be downgraded to match the running system. If no policy can be found, seinfo will print an error message and exit. EXPRESSIONS
One or more of the following component types can be queried. Each option may only be specified once. If an option is provided multiple times, the last instance will be used. Some components support the -x flag to print expanded information about that component; if a partic- ular component specified does not support expanded information, the flag will be ignored for that component (see -x below). If no expres- sions are provided, policy statistics will be printed (see --stats below). -c[NAME], --class[=NAME] Print a list of object classes or, if NAME is provided, print the object class NAME. With -x, print a list of permissions for each displayed object class. --sensitivity[=NAME] Print a list of sensitivities or, if NAME is provided, print the sensitivity NAME. With -x, print the corresponding level statement for each displayed sensitivity. --category[=NAME] Print a list of categories or, if NAME is provided, print the category NAME. With -x, print a list of sensitivities with which each displayed category may be associated. -t[NAME], --type[=NAME] Print a list of types (not including aliases or attributes) or, if NAME is provided, print the type NAME. With -x, print a list of attributes which include each displayed type. -a[NAME], --attribute[=NAME] Print a list of type attributes or, if NAME is provided, print the attribute NAME. With -x, print a list of types assigned to each displayed attribute. -r[NAME], --role[=NAME] Print a list of roles or, if NAME is provided, print the role NAME. With -x, print a list of types assigned to each displayed role. -u[NAME], --user[=NAME] Print a list of users or, if NAME is provided, print the user NAME. With -x, print a list of roles assigned to each displayed user. -b[NAME], --bool[=NAME] Print a list of conditional booleans or, if NAME is provided, print the boolean NAME. With -x, print the default state of each dis- played conditional boolean. --initialsid[=NAME] Print a list of initial SIDs or, if NAME is provided, print the initial SID NAME. With -x, print the context assigned to each dis- played SID. --fs_use[=TYPE] Print a list of fs_use statements or, if TYPE is provided, print the statement for filesystem TYPE. There is no expanded informa- tion for this component. --genfscon[=TYPE] Print a list of genfscon statements or, if TYPE is provided, print the statement for the filesystem TYPE. There is no expanded information for this component. --netifcon[=NAME] Print a list of netif contexts or, if NAME is provided, print the statement for interface NAME. There is no expanded information for this component. --nodecon[=ADDR] Print a list of node contexts or, if ADDR is provided, print the statement for the node with address ADDR. There is no expanded information for this component. --polcap Print policy capabilities. --permissive Print permissive types. --portcon[=PORT] Print a list of port contexts or, if PORT is provided, print the statement for port PORT. There is no expanded information for this component. --protocol=PROTO Print only portcon statements for the protocol PROTO. This option is ignored if portcon statements are not printed or if no state- ment exists for the requested port. --constrain Print a list of constraints. There is no expanded information for this component. --all Print all components. OPTIONS
-x, --expand Print additional details for each component matching the expression. These details include the types assigned to an attribute or role and the permissions for an object class. This option is not available for all component types; see the description of each component for the details this option will provide. --stats Print policy statistics including policy type and version information and counts of all components and rules. -l, --line-breaks Print line breaks when displaying constraint statements. -h, --help Print help information and exit. -V, --version Print version information and exit. AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. COPYRIGHT
Copyright(C) 2003-2010 Tresys Technology, LLC BUGS
Please report bugs via an email to setools-bugs@tresys.com. SEE ALSO
sesearch(1), apol(1) seinfo(1)