sediff - SELinux policy difference tool

       Chris PeBenito <pebenito@ieee.org>

       Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues

       Determine the differences between two SELinux policies.

sediff categorizes differences in policy elements into one of three forms.

              added  The element exists only in the modified policy.

              removed
                     The element exists only in the original policy.

              modified
                     The element exists in both policies but its semantic meaning has changed.  For  example,  a
                     class is modified if one or more permissions are added or removed.

       Show differences in boolean settings
       # sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
       Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
       #sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33

       The user may specify an expression listing the policy elements to differentiate.  If  not  provided,  all
       supported policy elements are examined.

   ComponentDifferences
       --common
              Find differences in common permission sets.

       -c, --class
              Find differences in object classes.

       -t, --type
              Find differences in attributes associated with types.

       -a, --attribute
              Find differences in types assigned to attributes.

       -r, --role
              Find differences in types authorized for roles.

       -u, --user
              Find differences in roles authorized for users.

       -b, --bool
              Find differences in the default values of booleans.

       --sensitivity
              Find differences in sensitivity definitions.

       --category
              Find differences in category definitions.

       --level
              Find differences in MLS level definitions.

   TypeEnforcementRuleDifferences
       -A     Find differences in allow and allowxperm rules.

       --allow
              Find differences in allow rules.

       --auditallow
              Find differences in auditallow rules.

       --dontaudit
              Find differences in dontaudit rules.

       --allowxperm
              Find differences in allowxperm rules.

       --auditallowxperm
              Find differences in auditallowxperm rules.

       --dontauditxperm
              Find differences in dontauditxperm rules.

       -T, --type_trans
              Find differences in type_transition rules.

       --type_member
              Find differences in type_member rules.

       --type_change
              Find differences in type_change rules.

   RBACRuleDifferences
       --role_allow
              Find differences in role allow rules.

       --role_trans
              Find differences in role_transition rules.

   MLSRuleDifferences
       --range_trans
              Find differences in range_transition rules.

   ConstraintDifferences
       --constrain
              Find differences in constrain rules.

       --mlsconstrain
              Find differences in mlsconstrain rules.

       --validatetrans
              Find differences in validatetrans rules.

       --mlsvalidatetrans
              Find differences in mlsvalidatetrans rules.

   LabelingStatementDifferences
       --ibendportcon
              Find differences in ibendportcon (InfiniBand endport context) statements.

       --ibpkeycon
              Find differences in ibpkeycon (InfiniBand parition key context) statements.

       --initialsid
              Find differences in initial SID statements.

       --fs_use
              Find differences in fs_use_* statements.

       --genfscon
              Find differences in genfscon statements.

       --netifcon
              Find differences in netifcon statements.

       --nodecon
              Find differences in nodecon statements.

       --portcon
              Find differences in portcon statements.

   OtherDifferences
       --default
              Find differences in default_* statements.

       --property
              Find  differences  in  policy properties. Only applicable for binary policies (policy version, MLS
              enabled/disabled, unknown permissions setting).

       --polcap
              Find differences in policy capabilities.

       --typebounds
              Find differences in typebound statements.

       sediff - SELinux policy difference tool

       -h, --help
              Print help information and exit.

       --stats
              Print difference statistics only.

       --version
              Print version information and exit.

       -v, --verbose
              Print additional informational messages.

       --debug
              Enable debugging output.

       A  single  file  containing  a binary policy. This file is usually named by version on Linux systems, for
       example, policy.30. This file is usually named sepolicy on Android systems.  If not provided, sediff will
       print an error message and exit.

apol(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)

SELinux Project                                    2016-04-19                                          sediff(1)

sediff [OPTIONS] [EXPRESSION] POLICY1 POLICY2