diff options
Diffstat (limited to 'man/sediff.1')
-rw-r--r-- | man/sediff.1 | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/man/sediff.1 b/man/sediff.1 new file mode 100644 index 0000000..ef4f3a9 --- /dev/null +++ b/man/sediff.1 @@ -0,0 +1,118 @@ +.TH sediff 1 +.SH NAME +sediff \- SELinux policy difference tool +.SH SYNOPSIS +.B sediff +[OPTIONS] [EXPRESSION] ORIGINAL_POLICY ; MODIFIED_POLICY +.SH DESCRIPTION +.PP +.B sediff +allows the user to inspect the semantic differences between two SELinux policies. +.SH POLICY +.PP +.B +sediff +supports loading SELinux policies in one of four formats. +.IP "source" +A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf. +.IP "binary" +A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version - for example, policy.20. +.IP "modular" +A list of policy packages each containing a loadable policy module. The first module listed must be a base module. +.IP "policy list" +A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities. +.PP +Policies do not need to be the same format. If not provided +.B +sediff +will print an error message and exit. +.SH EXPRESSIONS +.P +The user may specify an expression listing the policy elements to differentiate. +If not provided, all supported policy elements sans neverallows are examined. +.IP "-c, --class" +Find differences in permissions assigned to object classes and common permission sets. +.IP "--level" +Find differences in categories authorized for MLS levels. +.IP "--category" +Find differences in category definitions. +.IP "-t, --type" +Find differences in attributes associated with types. +.IP "-a, --attribute" +Find differences in types assigned to attributes. +.IP "-r, --role" +Find differences in types authorized for roles. +.IP "-u, --user" +Find differences in roles authorized for users. +.IP "-b, --bool" +Find differences in the default values of booleans. +.IP "-A, --allow" +Find differences in allow rules. +.IP "--auditallow" +Find differences in auditallow rules. +.IP "--dontaudit" +Find differences in dontaudit rules. +.IP "--neverallow" +Find differences in neverallow rules. +.IP "--type_trans" +Find differences in type_transition rules. +.IP "--type_member" +Find differences in type_member rules. +.IP "--type_change" +Find differences in type_change rules. +.IP "--role_trans" +Find differences in role_transition rules. +This includes differences in the default role. +.IP "--role_allow" +Find differences in role allow rules. +.IP "--range_trans" +Find differences in range_transition rules. This includes differences +in the target MLS range. +.SH OPTIONS +.IP "-q, --quiet" +If there are no differences for elements of a given kind, +suppress status output for that kind of element. +.IP "--stats" +Print difference statistics only. +.IP "-h, --help" +Print help information and exit. +.IP "-V, --version" +Print version information and exit. +.SH DIFFERENCES +.PP +.B +sediff +categorizes differences in policy elements into one of three forms. +.RS +.IP "added" +The element exists only in the modified policy. +.IP "removed" +The element exists only in the original policy. +.IP "modified" +The element exists in both policies but its semantic meaning has changed. +For example, a class is modified if one or more permissions are added or removed. +.RE +.PP +For all rules with types as their source or target, two additional forms of difference are recognized. +This helps distinguish differences due to new types from differences in rules for existing types. +.RS +.IP "added, new type" +The rule exists only in the modified policy; +furthermore, one or more of the types in the rule do not exist in the original policy. +.IP "removed, missing type" +The rule exists only in the original policy; +furthermore, one or more of the types in the rule do not exist in the modified policy. +.RE +.SH NOTE +Most shells interpret the semicolon as a metacharacter, thus requiring +a backslash like so: +.B +sediff original.policy \\; modified.policy +.SH AUTHOR +This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>. +.SH COPYRIGHT +Copyright(C) 2004-2007 Tresys Technology, LLC +.SH BUGS +Please report bugs via an email to setools-bugs@tresys.com. +.SH SEE ALSO +sediffx(1) |