Until now, we’ve analyzed a single policy set, finding the domain transitions and information flow paths. The commands and applications we’ve used all focus on this single-policy analysis. Another important analysis is to compare two policies. Policy developers can use this to compare a new policy with an old one, or to compare two system policies to see what additional rules have been added by the administrator.
Using sediff to compare policies
sediff tool looks at the differences between two policy files and reports those to the user. It is often not sensible to use this against completely different policies, but is powerful for finding slight differences between policies, which can assist in troubleshooting issues across different systems.
A common use case for
sediff is to validate that a source-built policy file is the same as the distribution-provided binary policy file. Administrators can then be certain that the source code they’ve used to build a policy file is the same as that used by the distribution, even when the binary files themselves (the
policy.## file) have different checksums:
$ sediff policy.31 /sys/fs/selinux/policy Policy Properties (0 Modified) Classes (1 Added, 0 Removed, 4 Modified) Added Classes: 1 + xdp_socket Modified Classes: 4 * capability2 (1 Removed permissions) - compromise_kernel * process (1 Added permissions, 1 Removed permissions) + getrlimit ...