Provided by: setools_4.4.3-1_amd64 bug

NAME

       sediff - SELinux policy difference tool

SYNOPSIS

       sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2

DESCRIPTION

       Determine the differences between two SELinux policies.

POLICY

       A  single  file containing a binary policy. This file is usually named by version on Linux
       systems, for example, policy.30. This file is usually named sepolicy on  Android  systems.
       If not provided, sediff will print an error message and exit.

EXPRESSIONS

       The  user  may specify an expression listing the policy elements to differentiate.  If not
       provided, all supported policy elements are examined.

   Component Differences
       --common
              Find differences in common permission sets.

       -c, --class
              Find differences in object classes.

       -t, --type
              Find differences in attributes associated with types.

       -a, --attribute
              Find differences in types assigned to attributes.

       -r, --role
              Find differences in types authorized for roles.

       -u, --user
              Find differences in roles authorized for users.

       -b, --bool
              Find differences in the default values of booleans.

       --sensitivity
              Find differences in sensitivity definitions.

       --category
              Find differences in category definitions.

       --level
              Find differences in MLS level definitions.

   Type Enforcement Rule Differences
       -A     Find differences in allow and allowxperm rules.

       --allow
              Find differences in allow rules.

       --auditallow
              Find differences in auditallow rules.

       --dontaudit
              Find differences in dontaudit rules.

       --allowxperm
              Find differences in allowxperm rules.

       --auditallowxperm
              Find differences in auditallowxperm rules.

       --dontauditxperm
              Find differences in dontauditxperm rules.

       -T, --type_trans
              Find differences in type_transition rules.

       --type_member
              Find differences in type_member rules.

       --type_change
              Find differences in type_change rules.

   RBAC Rule Differences
       --role_allow
              Find differences in role allow rules.

       --role_trans
              Find differences in role_transition rules.

   MLS Rule Differences
       --range_trans
              Find differences in range_transition rules.

   Constraint Differences
       --constrain
              Find differences in constrain rules.

       --mlsconstrain
              Find differences in mlsconstrain rules.

       --validatetrans
              Find differences in validatetrans rules.

       --mlsvalidatetrans
              Find differences in mlsvalidatetrans rules.

   Labeling Statement Differences
       --ibendportcon
              Find differences in ibendportcon (InfiniBand endport context) statements.

       --ibpkeycon
              Find differences in ibpkeycon (InfiniBand parition key context) statements.

       --initialsid
              Find differences in initial SID statements.

       --fs_use
              Find differences in fs_use_* statements.

       --genfscon
              Find differences in genfscon statements.

       --netifcon
              Find differences in netifcon statements.

       --nodecon
              Find differences in nodecon statements.

       --portcon
              Find differences in portcon statements.

   Other Differences
       --default
              Find differences in default_* statements.

       --property
              Find differences in policy properties. Only applicable for binary policies  (policy
              version, MLS enabled/disabled, unknown permissions setting).

       --polcap
              Find differences in policy capabilities.

       --typebounds
              Find differences in typebound statements.

OPTIONS

       -h, --help
              Print help information and exit.

       --stats
              Print difference statistics only.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

DIFFERENCES

       sediff categorizes differences in policy elements into one of three forms.

              added  The element exists only in the modified policy.

              removed
                     The element exists only in the original policy.

              modified
                     The  element  exists  in both policies but its semantic meaning has changed.
                     For example, a class is modified if one or more  permissions  are  added  or
                     removed.

EXAMPLE

       Show differences in boolean settings
       # sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
       Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
       #sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33

AUTHOR

       Chris PeBenito <pebenito@ieee.org>

BUGS

       Please        report       bugs       via       the       SETools       bug       tracker,
       https://github.com/SELinuxProject/setools/issues

SEE ALSO

       apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)