NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLE | SEE ALSO | AUTHOR | COLOPHON |
|
|
CHECKPOLICY(8) System Manager's Manual CHECKPOLICY(8)
checkpolicy - SELinux policy compiler
checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-N] [-L] [-c policyvers] [-o output_file|-] [-S] [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]
This manual page describes the checkpolicy command. checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b flag is specified.
-b,--binary Read an existing binary policy file rather than a source policy.conf file. -F,--conf Write policy.conf file rather than binary policy file. Can only be used with binary policy file. -C,--cil Write CIL policy file rather than binary policy file. -d,--debug Enter debug mode after loading the policy. -U,--handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). -M,--mls Enable the MLS policy when checking and compiling the policy. -N,--disable-neverallow Do not check neverallow rules. -L,--line-marker-for-allow Output line markers for allow rules, in addition to neverallow rules. This option increases the size of the output CIL policy file, but the additional line markers helps debugging, especially neverallow failure reports. Can only be used when writing a CIL policy file. -c policyvers Specify the policy version, defaults to the latest. -o,--output filename Write a policy file (binary, policy.conf, or CIL policy) to the specified filename. If - is given as filename, write it to standard output. -S,--sort Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc. -t,--target Specify the target platform (selinux or xen). -O,--optimize Optimize the final kernel policy (remove redundant rules). -E,--werror Treat warnings as errors -V,--version Show version information. -h,--help Show usage information.
Generate policy.conf based on the system policy # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^). Note that binary policy extension represents its version, which is subject to change # checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf # load_policy Generate CIL representation of current system policy # checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out
SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
This manual page was written by Árpád Magosányi <[email protected]>, and edited by Stephen Smalley <[email protected]>. The program was written by Stephen Smalley <[email protected]>.
This page is part of the selinux (Security-Enhanced Linux user-
space libraries and tools) project. Information about the project
can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.
If you have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At
that time, the date of the most recent commit that was found in
the repository was 2025-08-04.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
CHECKPOLICY(8)
Pages that refer to this page: restorecon(8), setfiles(8)