NAME¶
sediffx - graphical SELinux policy difference tool
SYNOPSIS¶
sediffx [-d] [ORIGINAL_POLICY ; MODIFIED_POLICY]
DESCRIPTION¶
sediffx allows the user to graphically inspect the semantic differences
between two SELinux policies. All supported policy elements are examined.
POLICY¶
sediffx supports loading SELinux policies in one of four formats.
- source
- A single text file containing policy source for versions 12
through 21. This file is usually named policy.conf.
- binary
- A single file containing a monolithic kernel binary policy
for versions 15 through 21. This file is usually named by version - for
example, policy.20.
- modular
- A list of policy packages each containing a loadable policy
module. The first module listed must be a base module.
- policy list
- A single text file containing all the information needed to
load a policy, usually exported by SETools graphical utilities.
Policies do not need to be the same format. If not provided
sediffx will
begin with no policies loaded.
OPTIONS¶
- -d, --diff-now
- Load the policies and differentiate them immediately. This
option requires the user to specify the policies on the command line.
- -h, --help
- Print help information and exit.
- -V, --version
- Print version information and exit.
DIFFERENCES¶
sediffx categorizes differences in policy elements into one of three
forms.
- added
- The element exists only in the modified policy.
- removed
- The element exists only in the original policy.
- modified
- The element exists in both policies but its semantic
meaning has changed. For example, a class is modified if one or more
permissions are added or removed.
For all rules with types as their source or target, two additional forms of
difference are recognized. This helps distinguish differences due to new types
from differences in rules for existing types.
- added, new type
- The rule exists only in the modified policy; furthermore,
one or more of the types in the rule do not exist in the original
policy.
- removed, missing type
- The rule exists only in the original policy; furthermore,
one or more of the types in the rule do not exist in the modified
policy.
NOTE¶
Most shells interpret the semicolon as a metacharacter, thus requiring a
backslash like so:
sediffx original.policy \; modified.policy
AUTHOR¶
This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
COPYRIGHT¶
Copyright(C) 2005-2007 Tresys Technology, LLC
BUGS¶
Please report bugs via an email to setools-bugs@tresys.com.
SEE ALSO¶
sediff(1)