1CHECKPOLICY(8)              System Manager's Manual             CHECKPOLICY(8)
2
3
4

NAME

6       checkpolicy - SELinux policy compiler
7

SYNOPSIS

9       checkpolicy  [-b[F]]  [-C] [-d] [-U handle_unknown (allow,deny,reject)]
10       [-M]  [-c  policyvers]  [-o  output_file|-]  [-S]  [-t  target_platform
11       (selinux,xen)] [-O] [-E] [-V] [input_file]
12

DESCRIPTION

14       This manual page describes the checkpolicy command.
15
16       checkpolicy  is  a  program that checks and compiles a SELinux security
17       policy configuration into a binary representation that  can  be  loaded
18       into  the kernel.  If no input file name is specified, checkpolicy will
19       attempt to read from policy.conf or policy, depending on whether the -b
20       flag is specified.
21
22

OPTIONS

24       -b,--binary
25              Read  an  existing  binary policy file rather than a source pol‐
26              icy.conf file.
27
28       -F,--conf
29              Write policy.conf file rather than binary policy file. Can  only
30              be used with binary policy file.
31
32       -C,--cil
33              Write CIL policy file rather than binary policy file.
34
35       -d,--debug
36              Enter debug mode after loading the policy.
37
38       -U,--handle-unknown <action>
39              Specify  how the kernel should handle unknown classes or permis‐
40              sions (deny, allow or reject).
41
42       -M,--mls
43              Enable the MLS policy when checking and compiling the policy.
44
45       -c policyvers
46              Specify the policy version, defaults to the latest.
47
48       -o,--output filename
49              Write a policy file (binary, policy.conf, or CIL policy) to  the
50              specified filename. If - is given as filename, write it to stan‐
51              dard output.
52
53       -S,--sort
54              Sort ocontexts before writing out the binary policy. This option
55              makes output of checkpolicy consistent with binary policies cre‐
56              ated by semanage and secilc.
57
58       -t,--target
59              Specify the target platform (selinux or xen).
60
61       -O,--optimize
62              Optimize the final kernel policy (remove redundant rules).
63
64       -E,--werror
65              Treat warnings as errors
66
67       -V,--version
68              Show version information.
69
70       -h,--help
71              Show usage information.
72
73

EXAMPLE

75       Generate policy.conf based on the system policy
76       # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
77       Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
78       Note that binary policy extension represents its version, which is subject to change
79       # checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
80       # load_policy
81       Generate CIL representation of current system policy
82       # checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out
83
84

SEE ALSO

86       SELinux Reference Policy documentation  at  https://github.com/SELinux
87       Project/refpolicy/wiki
88
89
90

AUTHOR

92       This     manual     page     was    written    by    Árpád    Magosányi
93       <mag@bunuel.tii.matav.hu>,  and  edited  by  Stephen  Smalley  <sds@ty‐
94       cho.nsa.gov>.   The  program  was  written  by Stephen Smalley <sds@ty‐
95       cho.nsa.gov>.
96
97
98
99                                                                CHECKPOLICY(8)
Impressum