SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 1 | .TH CHECKMODULE 8 |
| 2 | .SH NAME |
| 3 | checkmodule \- SELinux policy module compiler |
| 4 | .SH SYNOPSIS |
| 5 | .B checkmodule |
Stephen Smalley | 968aed0 | 2013-10-30 15:38:49 -0400 | [diff] [blame] | 6 | .I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]" |
SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 7 | .SH "DESCRIPTION" |
| 8 | This manual page describes the |
| 9 | .BR checkmodule |
| 10 | command. |
| 11 | .PP |
| 12 | .B checkmodule |
| 13 | is a program that checks and compiles a SELinux security policy module |
| 14 | into a binary representation. It can generate either a base policy |
Stephen Smalley | 968aed0 | 2013-10-30 15:38:49 -0400 | [diff] [blame] | 15 | module (default) or a non-base policy module (\-m option); typically, |
SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 16 | you would build a non-base policy module to add to an existing module |
| 17 | store that already has a base module provided by the base policy. Use |
| 18 | semodule_package to combine this module with its optional file |
| 19 | contexts to create a policy package, and then use semodule to install |
| 20 | the module package into the module store and load the resulting policy. |
| 21 | |
| 22 | .SH OPTIONS |
| 23 | .TP |
| 24 | .B \-b,\-\-binary |
| 25 | Read an existing binary policy module file rather than a source policy |
| 26 | module file. This option is a development/debugging aid. |
| 27 | .TP |
| 28 | .B \-h,\-\-help |
| 29 | Print usage. |
| 30 | .TP |
| 31 | .B \-m |
| 32 | Generate a non-base policy module. |
| 33 | .TP |
| 34 | .B \-M,\-\-mls |
| 35 | Enable the MLS/MCS support when checking and compiling the policy module. |
| 36 | .TP |
| 37 | .B \-V,\-\-version |
Stephen Smalley | cd88c5c | 2012-02-21 14:27:00 -0500 | [diff] [blame] | 38 | Show policy versions created by this program. Note that you cannot currently build older versions. |
SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 39 | .TP |
| 40 | .B \-o,\-\-output filename |
| 41 | Write a binary policy module file to the specified filename. |
| 42 | Otherwise, checkmodule will only check the syntax of the module source file |
| 43 | and will not generate a binary module at all. |
| 44 | .TP |
| 45 | .B \-U,\-\-handle-unknown <action> |
| 46 | Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). |
| 47 | |
| 48 | .SH EXAMPLE |
| 49 | .nf |
| 50 | # Build a MLS/MCS-enabled non-base policy module. |
Stephen Smalley | 968aed0 | 2013-10-30 15:38:49 -0400 | [diff] [blame] | 51 | $ checkmodule \-M \-m httpd.te \-o httpd.mod |
SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 52 | .fi |
| 53 | |
| 54 | .SH "SEE ALSO" |
| 55 | .B semodule(8), semodule_package(8) |
Stephen Smalley | ba8e992 | 2012-09-25 10:57:09 -0400 | [diff] [blame] | 56 | SELinux documentation at http://www.nsa.gov/research/selinux, |
SE Android | 8c48de1 | 2012-01-24 05:27:18 -0800 | [diff] [blame] | 57 | especially "Configuring the SELinux Policy". |
| 58 | |
| 59 | |
| 60 | .SH AUTHOR |
| 61 | This manual page was copied from the checkpolicy man page |
| 62 | written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>, |
| 63 | and edited by Dan Walsh <dwalsh@redhat.com>. |
| 64 | The program was written by Stephen Smalley <sds@epoch.ncsc.mil>. |