How to compare two SELinux modules?

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version. Another reason is that the version wasn …

Since SELinux userspace 2.4, there are no versions in semodule -l output. One of the reasons is that CIL, which is used as intermediate language in SELinux modules store for cached modules, doesn’t support a module name nor a module version.

Another reason is that the version wasn’t really used by SELinux tools. semodule -i did the same thing as semodule -u and both didn’t check a module version. So you could simply install a module with the same name and the same version as an already installed module and you wouldn’t notice any error or warning.

Compare modules

First, if you want to compare an already installed module with a new one, you need to extract the former from the module store:

$ sudo semodule -H -E sandbox
Module 'sandbox' does not exist at the default priority '400'. Extracting at highest existing priority '400'.

$ ls
sandbox.pp

You can even extract a module as a CIL file. Which makes the output file readable for an user as CIL uses text format.

$ sudo semodule -c -E sandbox
Module 'sandbox' does not exist at the default priority '400'. Extracting at highest existing priority '400'.

$ ls
sandbox.cil  sandbox.pp

Now you can compare the extracted module with a module you plan to install.

$ cmp /usr/share/selinux/packages/sandbox.pp sandbox.pp

$ echo $?
0

$ sudo cmp /root/sandbox.pp sandbox.pp
/root/sandbox.pp sandbox.pp differ: byte 17, line 1

If you want to use CIL, you need to convert a .pp to .cil file first:

$ sudo /usr/libexec/selinux/hll/pp /root/sandbox.pp > /tmp/root-sandbox.cil

$ sudo /usr/libexec/selinux/hll/pp /usr/share/selinux/packages/sandbox.pp > /tmp/packages-sandbox.cil

$ cmp /tmp/packages-sandbox.cil sandbox.cil

$ echo $?
0

$ cmp /tmp/root-sandbox.cil sandbox.cil
/tmp/root-sandbox.cil sandbox.cil differ: byte 514, line 12

The advantage of using CIL is that you can simply run a diff tool on .cil files and look for differences:

$ diff -u /tmp/root-sandbox.cil sandbox.cil
--- /tmp/root-sandbox.cil       2016-11-11 14:09:58.655970255 +0100
+++ sandbox.cil 2016-11-11 13:53:32.082375003 +0100
@@ -9,15 +9,33 @@
 (typeattributeset domain (sandbox_t ))
 (typeattributeset cil_gen_require corenet_unlabeled_type)
 (typeattributeset corenet_unlabeled_type (sandbox_t ))
+(typeattributeset cil_gen_require memory_raw_read)
+(typeattributeset memory_raw_read (sandbox_t ))
+(typeattributeset cil_gen_require memory_raw_write)
+(typeattributeset memory_raw_write (sandbox_t ))

Receive Updates

ATOM