sediffx(1) [centos man page]
sediffx(1) General Commands Manual sediffx(1) NAME
sediffx - graphical SELinux policy difference tool SYNOPSIS
sediffx [-d] [ORIGINAL_POLICY ; MODIFIED_POLICY] DESCRIPTION
sediffx allows the user to graphically inspect the semantic differences between two SELinux policies. All supported policy elements are examined. POLICY
sediffx supports loading SELinux policies in one of four formats. source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. modular A list of policy packages each containing a loadable policy module. The first module listed must be a base module. policy list A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. Policies do not need to be the same format. If not provided sediffx will begin with no policies loaded. OPTIONS
-d, --diff-now Load the policies and differentiate them immediately. This option requires the user to specify the policies on the command line. -h, --help Print help information and exit. -V, --version Print version information and exit. DIFFERENCES
sediffx categorizes differences in policy elements into one of three forms. added The element exists only in the modified policy. removed The element exists only in the original policy. modified The element exists in both policies but its semantic meaning has changed. For example, a class is modified if one or more permissions are added or removed. For all rules with types as their source or target, two additional forms of difference are recognized. This helps distinguish differences due to new types from differences in rules for existing types. added, new type The rule exists only in the modified policy; furthermore, one or more of the types in the rule do not exist in the original policy. removed, missing type The rule exists only in the original policy; furthermore, one or more of the types in the rule do not exist in the modified policy. NOTE
Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like so: sediffx original.policy ; modified.policy AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. COPYRIGHT
Copyright(C) 2005-2007 Tresys Technology, LLC BUGS
Please report bugs via an email to setools-bugs@tresys.com. SEE ALSO
sediff(1) sediffx(1)
Check Out this Related Man Page
sechecker(1) General Commands Manual sechecker(1) NAME
sechecker - SELinux policy checking tool SYNOPSIS
sechecker [OPTIONS] -p profile [POLICY ...] sechecker [OPTIONS] -m module [POLICY ...] sechecker [OPTIONS] -p profile -m module [POLICY ...] DESCRIPTION
sechecker allows the user to perform predefined modular checks on a SELinux policy. Profiles exist to group modules together and allow modification of module settings (see below). POLICY
sechecker supports loading a SELinux policy in one of four formats. source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. modular A list of policy packages each containing a loadable policy module. The first module listed must be a base module. policy list A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. If no policy file is provided, sechecker will search for the system default policy: checking first for a source policy, next for a binary policy matching the running kernel's preferred version, and finally for the highest version that can be found. In the latter case, the policy will be downgraded to match the running system. If no policy can be found, sechecker will print an error message and exit. OPTIONS
-p PROFILE, --profile=PROFILE Load module settings from a module profile. The settings in the profile will override the default settings for all specified mod- ules. If specified without -m, run all modules in the profile. PROFILE may either be the name of a known profile (see --list) or the path to a user created profile. see PROFILE OPTIONS below for more information about creating profiles. -m MODULE, --module=MODULE Run only the module named MODULE (see --list). --min-sev=SEVERITY Report only results with the minimum severity of SEVERITY. SEVERITY must have one of the following values: low The module's results indicate a flaw in the policy that does not affect the manner in which the policy is enforced, but is considered to be improper. med The module's results indicate a flaw in the policy that changes the manner in which the policy is enforced; however, it does not present an identifiable security risk. high The module's results indicate a flaw in the policy that presents an identifiable security risk. --fcfile=FILE Use FILE for the file_contexts file instead of the system default. This flag is only applicable if sechecker was configured with the --enable-sefs flag. -l, --list Print a list of the name and a brief description of all known profiles and modules and exit. -h[MODULE], --help[=MODULE] Print general help information and exit. If MODULE is provided, print help information for the module named MODULE and exit. -V, --version Print version information and exit. REPORT GENERATION OPTIONS Only one of the following may be provided to specify the length of the report for all modules. If provided, this option overrides both profile and module default output settings. -q, --quiet suppress output -s, --short print short output -v, --verbose print verbose output PROFILE OPTIONS
Profiles are used to group modules together, to specify the output format for each module in the report, and to provide the ability to override the modules' default options. Each profile is a well-formed XML document, as specified by the DTD installed with sechecker. An example profile follows: <sechecker version="1.1"> <profile> <module name="find_domains"> <output value="quiet"/> <option name="domain_attribute"> <item value="domain"/> <item value="user_domain"/> ... </option> </module> ... </profile> </sechecker> The example profile specifies the output property for the find_domains module. The example profile also overrides the default value for the "domain_attribute" option in the find_domains module. PROFILE OUTPUT OPTIONS The valid output values for each module are specified below: verbose Print each result in the report with accompanying proof(s). short Print a list of results with no accompanying proof. none Do not print output from this module in the report; however, module errors will still be printed. quiet Do not print output from this module in the report and do not print errors. This is useful for utility modules for which the calling module handles any errors. PROFILE MODULE OPTIONS Several modules provide one or more options that can be set from a profile. Each option has one or more items. To check what options are available for a module use --help=MODULE, where MODULE is the name of the module as printed by --list. AUTHOR
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. COPYRIGHT
Copyright(C) 2005-2008 Tresys Technology, LLC BUGS
Please report bugs via an email to setools-bugs@tresys.com. SEE ALSO
apol(1) sechecker(1)