checkpolicy - Man Page

SELinux policy compiler

Synopsis

checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-N] [-L] [-c policyvers] [-o output_file|-] [-S] [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]

Description

This manual page describes the checkpolicy command.

checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b flag is specified.

Options

-b,--binary

Read an existing binary policy file rather than a source policy.conf file.

-F,--conf

Write policy.conf file rather than binary policy file. Can only be used with binary policy file.

-C,--cil

Write CIL policy file rather than binary policy file.

-d,--debug

Enter debug mode after loading the policy.

-U,--handle-unknown <action>

Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

-M,--mls

Enable the MLS policy when checking and compiling the policy.

-N,--disable-neverallow

Do not check neverallow rules.

-L,--line-marker-for-allow

Output line markers for allow rules, in addition to neverallow rules. This option increases the size of the output CIL policy file, but the additional line markers helps debugging, especially neverallow failure reports. Can only be used when writing a CIL policy file.

-c policyvers

Specify the policy version, defaults to the latest.

-o,--output filename

Write a policy file (binary, policy.conf, or CIL policy) to the specified filename. If - is given as filename, write it to standard output.

-S,--sort

Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.

-t,--target

Specify the target platform (selinux or xen).

-O,--optimize

Optimize the final kernel policy (remove redundant rules).

-E,--werror

Treat warnings as errors

-V,--version

Show version information.

-h,--help

Show usage information.

Example

Generate policy.conf based on the system policy
# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
Note that binary policy extension represents its version, which is subject to change
# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
# load_policy
Generate CIL representation of current system policy
# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out

See Also

SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki

Author

This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>, and edited by Stephen Smalley <stephen.smalley.work@gmail.com>. The program was written by Stephen Smalley <stephen.smalley.work@gmail.com>.

Referenced By

checkpolicy_selinux(8), restorecon(8), setfiles(8).