1CHECKPOLICY(8) System Manager's Manual CHECKPOLICY(8)
2
6 checkpolicy - SELinux policy compiler
7
9 checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)]
10 [-M] [-c policyvers] [-o output_file] [-S] [-t target_platform
11 (selinux,xen)] [-V] [input_file]
12
14 This manual page describes the checkpolicy command.
15 checkpolicy is a program that checks and compiles a SELinux security
17 policy configuration into a binary representation that can be loaded
18 into the kernel. If no input file name is specified, checkpolicy will
19 attempt to read from policy.conf or policy, depending on whether the -b
20 flag is specified.
21
24 -b,--binary
25 Read an existing binary policy file rather than a source pol‐
26 icy.conf file.
27 -F,--conf
29 Write policy.conf file rather than binary policy file. Can only
30 be used with binary policy file.
31 -C,--cil
33 Write CIL policy file rather than binary policy file.
34 -d,--debug
36 Enter debug mode after loading the policy.
37 -U,--handle-unknown <action>
39 Specify how the kernel should handle unknown classes or permis‐
40 sions (deny, allow or reject).
41 -M,--mls
43 Enable the MLS policy when checking and compiling the policy.
44 -c policyvers
46 Specify the policy version, defaults to the latest.
47 -o,--output filename
49 Write a binary policy file to the specified filename.
50 -S,--sort
52 Sort ocontexts before writing out the binary policy. This option
53 makes output of checkpolicy consistent with binary policies cre‐
54 ated by semanage and secilc.
55 -t,--target
57 Specify the target platform (selinux or xen).
58 -V,--version
60 Show version information.
61 -h,--help
63 Show usage information.
64
67 SELinux documentation at http://www.nsa.gov/research/selinux, espe‐
68 cially "Configuring the SELinux Policy".
69
73 This manual page was written by Arpad Magosanyi
74 <mag@bunuel.tii.matav.hu>, and edited by Stephen Smalley
75 <sds@tycho.nsa.gov>. The program was written by Stephen Smalley
76 <sds@tycho.nsa.gov>.
77 CHECKPOLICY(8)