sediff - SELinux policy difference tool
sediff [OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY
sediff allows the user to inspect the semantic differences between two SELinux policies.
sediff supports loading SELinux policies in one of four formats.
source A single text file containing policy source for versions 12 through 21. This file
is usually named policy.conf.
binary A single file containing a monolithic kernel binary policy for versions 15 through
21. This file is usually named by version - for example, policy.20.
A list of policy packages each containing a loadable policy module. The first mod-
ule listed must be a base module.
A single text file containing all the information needed to load a policy, usually
exported by SETools graphical utilities.
Policies do not need to be the same format. If not provided sediff will print an error
message and exit.
The user may specify an expression listing the policy elements to differentiate. If not
provided, all supported policy elements sans neverallows are examined.
Find differences in permissions assigned to object classes and common permission
Find differences in categories authorized for MLS levels.
Find differences in category definitions.
Find differences in attributes associated with types.
Find differences in types assigned to attributes.
Find differences in types authorized for roles.
Find differences in roles authorized for users.
Find differences in the default values of booleans.
Find differences in allow rules.
Find differences in auditallow rules.
Find differences in dontaudit rules.
Find differences in neverallow rules.
Find differences in type_transition rules.
Find differences in type_member rules.
Find differences in type_change rules.
Find differences in role_transition rules. This includes differences in the
Find differences in role allow rules.
Find differences in range_transition rules. This includes differences in the tar-
get MLS range.
If there are no differences for elements of a given kind, suppress status output
for that kind of element.
Print difference statistics only.
Print help information and exit.
Print version information and exit.
sediff categorizes differences in policy elements into one of three forms.
added The element exists only in the modified policy.
The element exists only in the original policy.
The element exists in both policies but its semantic meaning has changed.
For example, a class is modified if one or more permissions are added or
For all rules with types as their source or target, two additional forms of difference are
recognized. This helps distinguish differences due to new types from differences in rules
for existing types.
added, new type
The rule exists only in the modified policy; furthermore, one or more of the
types in the rule do not exist in the original policy.
removed, missing type
The rule exists only in the original policy; furthermore, one or more of the
types in the rule do not exist in the modified policy.
Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like
so: sediff original.policy \; modified.policy
This manual page was written by Jeremy A. Mowery <firstname.lastname@example.org>.
Copyright(C) 2004-2007 Tresys Technology, LLC
Please report bugs via an email to email@example.com.