summaryrefslogtreecommitdiffstats
path: root/man/sediff.1
diff options
context:
space:
mode:
Diffstat (limited to 'man/sediff.1')
-rw-r--r--man/sediff.1118
1 files changed, 118 insertions, 0 deletions
diff --git a/man/sediff.1 b/man/sediff.1
new file mode 100644
index 0000000..ef4f3a9
--- /dev/null
+++ b/man/sediff.1
@@ -0,0 +1,118 @@
+.TH sediff 1
+.SH NAME
+sediff \- SELinux policy difference tool
+.SH SYNOPSIS
+.B sediff
+[OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY
+.SH DESCRIPTION
+.PP
+.B sediff
+allows the user to inspect the semantic differences between two SELinux policies.
+.SH POLICY
+.PP
+.B
+sediff
+supports loading SELinux policies in one of four formats.
+.IP "source"
+A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf.
+.IP "binary"
+A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20.
+.IP "modular"
+A list of policy packages each containing a loadable policy module. The first module listed must be a base module.
+.IP "policy list"
+A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities.
+.PP
+Policies do not need to be the same format. If not provided
+.B
+sediff
+will print an error message and exit.
+.SH EXPRESSIONS
+.P
+The user may specify an expression listing the policy elements to differentiate.
+If not provided, all supported policy elements sans neverallows are examined.
+.IP "-c, --class"
+Find differences in permissions assigned to object classes and common permission sets.
+.IP "--level"
+Find differences in categories authorized for MLS levels.
+.IP "--category"
+Find differences in category definitions.
+.IP "-t, --type"
+Find differences in attributes associated with types.
+.IP "-a, --attribute"
+Find differences in types assigned to attributes.
+.IP "-r, --role"
+Find differences in types authorized for roles.
+.IP "-u, --user"
+Find differences in roles authorized for users.
+.IP "-b, --bool"
+Find differences in the default values of booleans.
+.IP "-A, --allow"
+Find differences in allow rules.
+.IP "--auditallow"
+Find differences in auditallow rules.
+.IP "--dontaudit"
+Find differences in dontaudit rules.
+.IP "--neverallow"
+Find differences in neverallow rules.
+.IP "--type_trans"
+Find differences in type_transition rules.
+.IP "--type_member"
+Find differences in type_member rules.
+.IP "--type_change"
+Find differences in type_change rules.
+.IP "--role_trans"
+Find differences in role_transition rules.
+This includes differences in the default role.
+.IP "--role_allow"
+Find differences in role allow rules.
+.IP "--range_trans"
+Find differences in range_transition rules. This includes differences
+in the target MLS range.
+.SH OPTIONS
+.IP "-q, --quiet"
+If there are no differences for elements of a given kind,
+suppress status output for that kind of element.
+.IP "--stats"
+Print difference statistics only.
+.IP "-h, --help"
+Print help information and exit.
+.IP "-V, --version"
+Print version information and exit.
+.SH DIFFERENCES
+.PP
+.B
+sediff
+categorizes differences in policy elements into one of three forms.
+.RS
+.IP "added"
+The element exists only in the modified policy.
+.IP "removed"
+The element exists only in the original policy.
+.IP "modified"
+The element exists in both policies but its semantic meaning has changed.
+For example, a class is modified if one or more permissions are added or removed.
+.RE
+.PP
+For all rules with types as their source or target, two additional forms of difference are recognized.
+This helps distinguish differences due to new types from differences in rules for existing types.
+.RS
+.IP "added, new type"
+The rule exists only in the modified policy;
+furthermore, one or more of the types in the rule do not exist in the original policy.
+.IP "removed, missing type"
+The rule exists only in the original policy;
+furthermore, one or more of the types in the rule do not exist in the modified policy.
+.RE
+.SH NOTE
+Most shells interpret the semicolon as a metacharacter, thus requiring
+a backslash like so:
+.B
+sediff original.policy \\; modified.policy
+.SH AUTHOR
+This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
+.SH COPYRIGHT
+Copyright(C) 2004-2007 Tresys Technology, LLC
+.SH BUGS
+Please report bugs via an email to setools-bugs@tresys.com.
+.SH SEE ALSO
+sediffx(1)