Project 8: SELinux Policy Diff Tool
A tool that compares two SELinux policy versions (or a policy before/after module installation) and reports exactly what changed: new types, modified rules, removed permissions.
Quick Reference
| Attribute | Value |
|---|---|
| Primary Language | Python |
| Alternative Languages | Rust, Go |
| Difficulty | Level 3: Advanced |
| Time Estimate | 2-3 weeks |
| Knowledge Area | SELinux Policy Analysis / Change Management |
| Tooling | seinfo, sediff, apol |
| Prerequisites | Projects 1-3 completed, understanding of policy modules |
What You Will Build
A tool that compares two SELinux policy versions (or a policy before/after module installation) and reports exactly what changed: new types, modified rules, removed permissions.
Why It Matters
This project builds core skills that appear repeatedly in real-world systems and tooling.
Core Challenges
- Parsing policy binaries or source → maps to policy compilation and structure
- Identifying meaningful vs cosmetic changes → maps to understanding policy semantics
- Handling large rule sets efficiently → maps to policy optimization
- Presenting diffs clearly → maps to security communication
Key Concepts
- Policy Binary Format: SELinux by Example - Policy Internals
- sediff Tool: SETools documentation
- Policy Modules: SELinux Notebook - Modular Policy section
- Rule Analysis:
seinfoandsesearchinternals
Real-World Outcome
$ ./selinux-policy-diff policy.31 policy.32
SELinux Policy Comparison Report
================================
Base: policy.31 (2024-01-01)
Target: policy.32 (2024-01-15)
SUMMARY:
┌─────────────────────────────────────────┐
│ Category │ Added │ Removed │
├─────────────────────────────────────────┤
│ Types │ +3 │ -0 │
│ Attributes │ +1 │ -0 │
│ Allow Rules │ +47 │ -2 │
│ Type Transitions │ +5 │ -0 │
│ Booleans │ +2 │ -0 │
└─────────────────────────────────────────┘
NEW TYPES:
+ myapp_t (domain attribute)
+ myapp_exec_t (file attribute)
+ myapp_log_t (file attribute)
NEW ALLOW RULES (security-relevant):
+ allow myapp_t self:tcp_socket { create connect };
+ allow myapp_t http_port_t:tcp_socket name_connect;
+ allow myapp_t myapp_log_t:file { create write append };
REMOVED RULES:
- allow httpd_t tmp_t:file write; # GOOD: Reduced permissions
- allow ftpd_t user_home_t:dir search;
NEW BOOLEANS:
+ myapp_can_network (default: off)
+ myapp_use_nfs (default: off)
SECURITY ASSESSMENT:
✓ No new unconfined permissions
✓ No new write access to sensitive types
⚠ New network access for myapp_t - verify intended
$ ./selinux-policy-diff --module myapp.pp --show-rules
Implementation Guide
- Reproduce the simplest happy-path scenario.
- Build the smallest working version of the core feature.
- Add input validation and error handling.
- Add instrumentation/logging to confirm behavior.
- Refactor into clean modules with tests.
Milestones
- Milestone 1: Minimal working program that runs end-to-end.
- Milestone 2: Correct outputs for typical inputs.
- Milestone 3: Robust handling of edge cases.
- Milestone 4: Clean structure and documented usage.
Validation Checklist
- Output matches the real-world outcome example
- Handles invalid inputs safely
- Provides clear errors and exit codes
- Repeatable results across runs
References
- Main guide:
SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md - “SELinux by Example” by Frank Mayer