checkpolicy - SELinux policy compiler
checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown
(allow,deny,reject)] [-M] [-c policyvers] [-o output_file|-] [-S] [-t
target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]
This manual page describes the checkpolicy command.
checkpolicy is a program that checks and compiles a SELinux
security policy configuration into a binary representation that can be
loaded into the kernel. If no input file name is specified,
checkpolicy will attempt to read from policy.conf or policy,
depending on whether the -b flag is specified.
- -b,--binary
- Read an existing binary policy file rather than a source policy.conf
file.
- -F,--conf
- Write policy.conf file rather than binary policy file. Can only be used
with binary policy file.
- -C,--cil
- Write CIL policy file rather than binary policy file.
- -d,--debug
- Enter debug mode after loading the policy.
- -U,--handle-unknown
<action>
- Specify how the kernel should handle unknown classes or permissions (deny,
allow or reject).
- -M,--mls
- Enable the MLS policy when checking and compiling the policy.
- -c policyvers
- Specify the policy version, defaults to the latest.
- -o,--output
filename
- Write a policy file (binary, policy.conf, or CIL policy) to the specified
filename. If - is given as filename, write it to standard output.
- -S,--sort
- Sort ocontexts before writing out the binary policy. This option makes
output of checkpolicy consistent with binary policies created by semanage
and secilc.
- -t,--target
- Specify the target platform (selinux or xen).
- -O,--optimize
- Optimize the final kernel policy (remove redundant rules).
- -E,--werror
- Treat warnings as errors
- -V,--version
- Show version information.
- -h,--help
- Show usage information.
SELinux Reference Policy documentation at
https://github.com/SELinuxProject/refpolicy/wiki
This manual page was written by Árpád
Magosányi <mag@bunuel.tii.matav.hu>, and edited by Stephen
Smalley <sds@tycho.nsa.gov>. The program was written by Stephen
Smalley <sds@tycho.nsa.gov>.