Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

CentOS 7.0 - man page for sediff (centos section 1)

sediff(1)						      General Commands Manual							 sediff(1)

NAME
sediff - SELinux policy difference tool
SYNOPSIS
sediff [OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY
DESCRIPTION
sediff allows the user to inspect the semantic differences between two SELinux policies.
POLICY
sediff supports loading SELinux policies in one of four formats. source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. modular A list of policy packages each containing a loadable policy module. The first module listed must be a base module. policy list A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. Policies do not need to be the same format. If not provided sediff will print an error message and exit.
EXPRESSIONS
The user may specify an expression listing the policy elements to differentiate. If not provided, all supported policy elements sans nev- erallows are examined. -c, --class Find differences in permissions assigned to object classes and common permission sets. --level Find differences in categories authorized for MLS levels. --category Find differences in category definitions. -t, --type Find differences in attributes associated with types. -a, --attribute Find differences in types assigned to attributes. -r, --role Find differences in types authorized for roles. -u, --user Find differences in roles authorized for users. -b, --bool Find differences in the default values of booleans. -A, --allow Find differences in allow rules. --auditallow Find differences in auditallow rules. --dontaudit Find differences in dontaudit rules. --neverallow Find differences in neverallow rules. --type_trans Find differences in type_transition rules. --type_member Find differences in type_member rules. --type_change Find differences in type_change rules. --role_trans Find differences in role_transition rules. This includes differences in the default role. --role_allow Find differences in role allow rules. --range_trans Find differences in range_transition rules. This includes differences in the target MLS range.
OPTIONS
-q, --quiet If there are no differences for elements of a given kind, suppress status output for that kind of element. --stats Print difference statistics only. -h, --help Print help information and exit. -V, --version Print version information and exit.
DIFFERENCES
sediff categorizes differences in policy elements into one of three forms. added The element exists only in the modified policy. removed The element exists only in the original policy. modified The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed. For all rules with types as their source or target, two additional forms of difference are recognized. This helps distinguish differences due to new types from differences in rules for existing types. added, new type The rule exists only in the modified policy; furthermore, one or more of the types in the rule do not exist in the original policy. removed, missing type The rule exists only in the original policy; furthermore, one or more of the types in the rule do not exist in the modified policy.
NOTE
Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like so: sediff original.policy \; modified.policy
AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT
Copyright(C) 2004-2007 Tresys Technology, LLC
BUGS
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO
sediffx(1) sediff(1)