checkpolicy(8) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO | AUTHOR | COLOPHON

CHECKPOLICY(8)           System Manager's Manual          CHECKPOLICY(8)

NAME         top

       checkpolicy - SELinux policy compiler

SYNOPSIS         top

       checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown
       (allow,deny,reject)] [-M] [-c policyvers] [-o output_file|-] [-S]
       [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]

DESCRIPTION         top

       This manual page describes the checkpolicy command.

       checkpolicy is a program that checks and compiles a SELinux
       security policy configuration into a binary representation that
       can be loaded into the kernel.  If no input file name is
       specified, checkpolicy will attempt to read from policy.conf or
       policy, depending on whether the -b flag is specified.

OPTIONS         top

       -b,--binary
              Read an existing binary policy file rather than a source
              policy.conf file.

       -F,--conf
              Write policy.conf file rather than binary policy file. Can
              only be used with binary policy file.

       -C,--cil
              Write CIL policy file rather than binary policy file.

       -d,--debug
              Enter debug mode after loading the policy.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or
              permissions (deny, allow or reject).

       -M,--mls
              Enable the MLS policy when checking and compiling the
              policy.

       -c policyvers
              Specify the policy version, defaults to the latest.

       -o,--output filename
              Write a policy file (binary, policy.conf, or CIL policy)
              to the specified filename. If - is given as filename,
              write it to standard output.

       -S,--sort
              Sort ocontexts before writing out the binary policy. This
              option makes output of checkpolicy consistent with binary
              policies created by semanage and secilc.

       -t,--target
              Specify the target platform (selinux or xen).

       -O,--optimize
              Optimize the final kernel policy (remove redundant rules).

       -E,--werror
              Treat warnings as errors

       -V,--version
              Show version information.

       -h,--help
              Show usage information.

SEE ALSO         top

       SELinux Reference Policy documentation at
       https://github.com/SELinuxProject/refpolicy/wiki

AUTHOR         top

       This manual page was written by Árpád Magosányi
       <mag@bunuel.tii.matav.hu>, and edited by Stephen Smalley
       <sds@tycho.nsa.gov>.  The program was written by Stephen Smalley
       <sds@tycho.nsa.gov>.

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨https://github.com/SELinuxProject/selinux/wiki⟩.  If you have a
       bug report for this manual page, see
       ⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/SELinuxProject/selinux⟩ on 2024-06-14.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

                                                          CHECKPOLICY(8)

Pages that refer to this page: restorecon(8)setfiles(8)