Install Now
checkmodule - SELinux policy module compiler
Contents
Description
This manual page describes the checkmodule command.
checkmodule is a program that checks and compiles a SELinux security policy module into a binary
representation. It can generate either a base policy module (default) or a non-base policy module (-m
option); typically, you would build a non-base policy module to add to an existing module store that
already has a base module provided by the base policy. Use semodule_package(8) to combine this module
with its optional file contexts to create a policy package, and then use semodule(8) to install the
module package into the module store and load the resulting policy.
Example
# Build a MLS/MCS-enabled non-base policy module.
$ checkmodule -M -m httpd.te -o httpd.mod
Name
checkmodule - SELinux policy module compiler
Options
-b,--binary
Read an existing binary policy module file rather than a source policy module file. This option
is a development/debugging aid.
-C,--cil
Write CIL policy file rather than binary policy file.
-E,--werror
Treat warnings as errors
-h,--help
Print usage.
-m Generate a non-base policy module.
-M,--mls
Enable the MLS/MCS support when checking and compiling the policy module.
-N,--disable-neverallow
Do not check neverallow rules.
-V,--version
Show policy versions created by this program.
-o,--outputfilename
Write a binary policy module file to the specified filename. Otherwise, checkmodule will only
check the syntax of the module source file and will not generate a binary module at all.
-U,--handle-unknown<action>
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
-cpolicyvers
Specify the policy version, defaults to the latest.
See Also
semodule(8),semodule_package(8) SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
Synopsis
checkmodule[-h][-b][-cpolicy_version][-C][-E][-m][-M][-N][-Uhandle_unknown][-V][-ooutput_file][input_file]
PNG Icons
Emojis