1CHECKMODULE(8)              System Manager's Manual             CHECKMODULE(8)
2
3
4

NAME

6       checkmodule - SELinux policy module compiler
7

SYNOPSIS

9       checkmodule [-h] [-b] [-C] [-m] [-M] [-U handle_unknown ] [-V] [-o out‐
10       put_file] [input_file]
11

DESCRIPTION

13       This manual page describes the checkmodule command.
14
15       checkmodule is a program that checks and compiles  a  SELinux  security
16       policy  module  into a binary representation.  It can generate either a
17       base policy module (default) or a non-base policy module  (-m  option);
18       typically, you would build a non-base policy module to add to an exist‐
19       ing module store that already has a base module provided  by  the  base
20       policy.   Use semodule_package to combine this module with its optional
21       file contexts to create a policy package,  and  then  use  semodule  to
22       install the module package into the module store and load the resulting
23       policy.
24
25

OPTIONS

27       -b,--binary
28              Read an existing binary policy module file rather than a  source
29              policy module file.  This option is a development/debugging aid.
30
31       -C,--cil
32              Write CIL policy file rather than binary policy file.
33
34       -h,--help
35              Print usage.
36
37       -m     Generate a non-base policy module.
38
39       -M,--mls
40              Enable  the MLS/MCS support when checking and compiling the pol‐
41              icy module.
42
43       -V,--version
44               Show policy versions created by this program.   Note  that  you
45              cannot currently build older versions.
46
47       -o,--output filename
48              Write  a  binary  policy  module file to the specified filename.
49              Otherwise, checkmodule will only check the syntax of the  module
50              source file and will not generate a binary module at all.
51
52       -U,--handle-unknown <action>
53              Specify  how the kernel should handle unknown classes or permis‐
54              sions (deny, allow or reject).
55
56

EXAMPLE

58       # Build a MLS/MCS-enabled non-base policy module.
59       $ checkmodule -M -m httpd.te -o httpd.mod
60
61

SEE ALSO

63       semodule(8),    semodule_package(8)    SELinux     documentation     at
64       http://www.nsa.gov/research/selinux,    especially   "Configuring   the
65       SELinux Policy".
66
67
68

AUTHOR

70       This manual page was copied from the checkpolicy man  page  written  by
71       Arpad  Magosanyi  <mag@bunuel.tii.matav.hu>,  and  edited  by Dan Walsh
72       <dwalsh@redhat.com>.   The  program  was  written  by  Stephen  Smalley
73       <sds@tycho.nsa.gov>.
74
75
76
77                                                                CHECKMODULE(8)
Impressum