checkpolicy - Man Page

SELinux policy compiler

Synopsis

checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-N] [-c policyvers] [-o output_file|-] [-S] [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]

Description

This manual page describes the checkpolicy command.

checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b flag is specified.

Options

-b,--binary

Read an existing binary policy file rather than a source policy.conf file.

-F,--conf

Write policy.conf file rather than binary policy file. Can only be used with binary policy file.

-C,--cil

Write CIL policy file rather than binary policy file.

-d,--debug

Enter debug mode after loading the policy.

-U,--handle-unknown <action>

Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

-M,--mls

Enable the MLS policy when checking and compiling the policy.

-N,--disable-neverallow

Do not check neverallow rules.

-c policyvers

Specify the policy version, defaults to the latest.

-o,--output filename

Write a policy file (binary, policy.conf, or CIL policy) to the specified filename. If - is given as filename, write it to standard output.

-S,--sort

Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.

-t,--target

Specify the target platform (selinux or xen).

-O,--optimize

Optimize the final kernel policy (remove redundant rules).

-E,--werror

Treat warnings as errors

-V,--version

Show version information.

-h,--help

Show usage information.

Example

Generate policy.conf based on the system policy
# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
Note that binary policy extension represents its version, which is subject to change
# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
# load_policy
Generate CIL representation of current system policy
# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out

See Also

SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki

Author

This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>, and edited by Stephen Smalley <stephen.smalley.work@gmail.com>. The program was written by Stephen Smalley <stephen.smalley.work@gmail.com>.

Referenced By

checkpolicy_selinux(8), restorecon(8), setfiles(8).