Section: Maintenance Commands (8)
checkpolicy - SELinux policy compiler
[-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-c policyvers] [-o output_file] [-S] [-t target_platform (selinux,xen)] [-V] [input_file]
This manual page describes the
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
policy.conf or policy, depending on whether the -b flag is specified.
Read an existing binary policy file rather than a source policy.conf file.
Write policy.conf file rather than binary policy file. Can only be used with binary policy file.
Write CIL policy file rather than binary policy file.
Enter debug mode after loading the policy.
- -U,--handle-unknown <action>
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
Enable the MLS policy when checking and compiling the policy.
- -c policyvers
Specify the policy version, defaults to the latest.
- -o,--output filename
Write a binary policy file to the specified filename.
Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
Specify the target platform (selinux or xen).
Show version information.
Show usage information.
SELinux documentation at http://www.nsa.gov/research/selinux,
especially "Configuring the SELinux Policy".
This manual page was written by Arpad Magosanyi <email@example.com
and edited by Stephen Smalley <firstname.lastname@example.org
The program was written by Stephen Smalley <email@example.com