sediff without specifying differences does not print all differences

Question

sediff without specifying differences does not print all differences

n2N8Z opened this issue 5 years ago · 5 comments

version: latest from git: https://github.com/SELinuxProject/setools.git
At the end of the sediff usage help it states:

If no differences are selected, all differences will be printed.

But labeling differences for one are not printed when no differences are selected.

e.g.

date; ./sediff ../policy.kern.28 ../policy.kern.28.2
Fri 28 Jun 2019 10:02:06 PM CEST
Policy Properties (0 Modified)

(no differences)

The labelling differences are only printed when explicitly requested.

date; ./sediff --portcon ../policy.kern.28 ../policy.kern.28.2; date
Fri 28 Jun 2019 11:01:55 PM CEST
Portcons (1 Added, 0 Removed, 0 Modified)
Added Portcons: 1
+ portcon tcp 65535 system_u:object_r:syslog_es_port_t:s0

Fri 28 Jun 2019 11:01:56 PM CEST

Answer 1 · 2019-07-09T00:33:46.000Z

I cannot reproduce this behavior with master.

Answer 2 · 2019-07-09T07:23:33.000Z

@pebenito
So you compare two policies that differ only in a portcon, you provide no options to sediff, and it displays the portcon difference for you ?
Can you show an example ?
As shown in my post, this issue exits in master.

Answer 3 · 2019-07-13T17:35:02.000Z

I did exactly as you did:

$ ./sediff ../refpolicy/policy.31{.old,}
Policy Properties (0 Modified)

Portcons (1 Added, 0 Removed, 0 Modified)
   Added Portcons: 1
      + portcon tcp 7007 system_u:object_r:afs_bos_port_t

Answer 4 · 2019-07-15T16:55:49.000Z

Turns out this issue is caused by sediff huge memory usage (#21).

-rw-r--r--. 1 root root 3857006 Jul 14 14:45 ../policy.kern.31
-rw-r--r--. 1 root root 3857050 Jul 14 14:47 ../policy.kern.31.2

On a system with 16GB:
Sometimes there's a "Killed" message

[root@localhost setools]# date; ./sediff --portcon ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 03:46:32 PM CEST
Portcons (1 Added, 0 Removed, 0 Modified)
Added Portcons: 1
+ portcon tcp 1-5 system_u:object_r:syslog_tls_port_t:s0

Mon 15 Jul 2019 03:46:33 PM CEST
[root@localhost setools]# date; ./sediff ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 03:46:35 PM CEST
Policy Properties (0 Modified)

Killed
Mon 15 Jul 2019 03:53:28 PM CEST

But usually it just fails silently.

[root@localhost setools]# date; ./sediff --portcon ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 03:54:05 PM CEST
Portcons (1 Added, 0 Removed, 0 Modified)
Added Portcons: 1
+ portcon tcp 1-5 system_u:object_r:syslog_tls_port_t:s0

Mon 15 Jul 2019 03:54:06 PM CEST
[root@localhost setools]# date; ./sediff ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 03:54:09 PM CEST
Policy Properties (0 Modified)

Mon 15 Jul 2019 04:01:35 PM CEST
[root@localhost setools]#

On a system with 64GB:

[root@ip-10-120-35-57 setools]# date; ./sediff --portcon ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 01:27:32 PM UTC
Portcons (1 Added, 0 Removed, 0 Modified)
Added Portcons: 1
+ portcon tcp 1-5 system_u:object_r:syslog_tls_port_t:s0

Mon 15 Jul 2019 01:27:32 PM UTC
[root@ip-10-120-35-57 setools]# date; ./sediff ../policy.kern.31 ../policy.kern.31.2; date
Mon 15 Jul 2019 01:27:38 PM UTC
Portcons (1 Added, 0 Removed, 0 Modified)
Added Portcons: 1
+ portcon tcp 1-5 system_u:object_r:syslog_tls_port_t:s0

Mon 15 Jul 2019 02:44:05 PM UTC
[root@ip-10-120-35-57 setools]#

Max real memory usage was 38GB (38865.570MB) @ 3846-3848s.
Duration was 1h17m.

Answer 5 · 2019-07-20T03:39:40.000Z

Portcons are diffed at the end, after the TE rules. If sediff is killed by the OOM killer or something else before that, then the portcon diff won't be printed. The "killed" message does not come from sediff. The OOM killer terminates sediff with SIGKILL, which is not catchable by sediff.