xref: /aosp_15_r20/external/selinux/checkpolicy/checkpolicy.8 (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
 CHECKPOLICY 8
 NAME
checkpolicy - SELinux policy compiler

 SYNOPSIS
 checkpolicy  "[-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-N] [-c policyvers] [-o output_file|-] [-S] [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]" 


 "DESCRIPTION"
This manual page describes the
 checkpolicy command.


 checkpolicy is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel.
If no input file name is specified,
 checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b
flag is specified.


 OPTIONS

 -b,--binary Read an existing binary policy file rather than a source policy.conf file.


 -F,--conf Write policy.conf file rather than binary policy file. Can only be used with binary policy file.


 -C,--cil Write CIL policy file rather than binary policy file.


 -d,--debug Enter debug mode after loading the policy.


 -U,--handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).


 -M,--mls Enable the MLS policy when checking and compiling the policy.


 -N,--disable-neverallow Do not check neverallow rules.


 -c policyvers Specify the policy version, defaults to the latest.


 -o,--output filename Write a policy file (binary, policy.conf, or CIL policy)
to the specified filename. If - is given as filename,
write it to standard output.


 -S,--sort Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.


 -t,--target Specify the target platform (selinux or xen).


 -O,--optimize Optimize the final kernel policy (remove redundant rules).


 -E,--werror Treat warnings as errors


 -V,--version Show version information.


 -h,--help Show usage information.


 EXAMPLE
Generate policy.conf based on the system policy
# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
Note that binary policy extension represents its version, which is subject to change
# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
# load_policy
Generate CIL representation of current system policy
# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out


 "SEE ALSO"
SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki



 AUTHOR
This manual page was written by Árpád Magosányi <[email protected]>,
and edited by Stephen Smalley <[email protected]>.
The program was written by Stephen Smalley <[email protected]>.