man 8 CHECKPOLICY

CHECKPOLICY(8)              System Manager's Manual             CHECKPOLICY(8)

NAME
       checkpolicy - SELinux policy compiler

SYNOPSIS
       checkpolicy  [-b[F]]  [-C] [-d] [-U handle_unknown (allow,deny,reject)]
       [-M] [-N] [-c policyvers] [-o output_file|-] [-S]  [-t  target_platform
       (selinux,xen)] [-O] [-E] [-V] [input_file]

DESCRIPTION
       This manual page describes the checkpolicy command.

       checkpolicy  is  a  program that checks and compiles a SELinux security
       policy configuration into a binary representation that  can  be  loaded
       into  the kernel.  If no input file name is specified, checkpolicy will
       attempt to read from policy.conf or policy, depending on whether the -b
       flag is specified.

OPTIONS
       -b,--binary
              Read  an  existing  binary policy file rather than a source pol-
              icy.conf file.

       -F,--conf
              Write policy.conf file rather than binary policy file. Can  only
              be used with binary policy file.

       -C,--cil
              Write CIL policy file rather than binary policy file.

       -d,--debug
              Enter debug mode after loading the policy.

       -U,--handle-unknown <action> 
              Specify  how the kernel should handle unknown classes or permis-
              sions (deny, allow or reject).

       -M,--mls
              Enable the MLS policy when checking and compiling the policy.

       -N,--disable-neverallow
              Do not check neverallow rules.

       -c policyvers
              Specify the policy version, defaults to the latest.

       -o,--output filename
              Write a policy file (binary, policy.conf, or CIL policy) to  the
              specified filename. If - is given as filename, write it to stan-
              dard output.

       -S,--sort
              Sort ocontexts before writing out the binary policy. This option
              makes output of checkpolicy consistent with binary policies cre-
              ated by semanage and secilc.

       -t,--target
              Specify the target platform (selinux or xen).

       -O,--optimize
              Optimize the final kernel policy (remove redundant rules).

       -E,--werror
              Treat warnings as errors

       -V,--version
              Show version information.

       -h,--help
              Show usage information.

EXAMPLE
       Generate policy.conf based on the system policy
       # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
       Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
       Note that binary policy extension represents its version, which is subject to change
       # checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
       # load_policy
       Generate CIL representation of current system policy
       # checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out

SEE ALSO
       SELinux Reference Policy documentation  at  https://github.com/SELinux-
       Project/refpolicy/wiki

AUTHOR
       This     manual     page     was    written    by    Arpad    Magosanyi
       <mag@bunuel.tii.matav.hu>, and edited by Stephen Smalley <stephen.smal-
       ley.work@gmail.com>.   The  program  was  written  by  Stephen  Smalley
       <stephen.smalley.work@gmail.com>.

                                                                CHECKPOLICY(8)