Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / selinux / b74e766f177ffd79aea3bb33b1cd5fb26d4e060e / . / checkpolicy / checkmodule.8
blob: e55582f30ec0c08f70f4cc9b375d12f5ff276aa9 [file] [log] [blame]
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1.TH CHECKMODULE 8
2.SH NAME
3checkmodule \- SELinux policy module compiler
4.SH SYNOPSIS
5.B checkmodule
James Carterb1d94562015-04-01 10:05:04 -0400[diff] [blame]6.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]7.SH "DESCRIPTION"
8This manual page describes the
9.BR checkmodule
10command.
11.PP
12.B checkmodule
13is a program that checks and compiles a SELinux security policy module
14into a binary representation. It can generate either a base policy
Laurent Bigonvillef074bb32013-05-10 14:45:18 +0200[diff] [blame]15module (default) or a non-base policy module (\-m option); typically,
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]16you would build a non-base policy module to add to an existing module
17store that already has a base module provided by the base policy. Use
18semodule_package to combine this module with its optional file
19contexts to create a policy package, and then use semodule to install
20the module package into the module store and load the resulting policy.
21
22.SH OPTIONS
23.TP
Guido Trentalanciabf57d232009-11-02 18:14:28 +0100[diff] [blame]24.B \-b,\-\-binary
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]25Read an existing binary policy module file rather than a source policy
26module file. This option is a development/debugging aid.
27.TP
James Carterb1d94562015-04-01 10:05:04 -0400[diff] [blame]28.B \-C,\-\-cil
29Write CIL policy file rather than binary policy file.
30.TP
Steve Lawrence8867e162010-06-14 14:45:46 -0400[diff] [blame]31.B \-h,\-\-help
Daniel J Walsh36fe4c32010-06-14 14:44:44 -0400[diff] [blame]32Print usage.
33.TP
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]34.B \-m
35Generate a non-base policy module.
36.TP
Guido Trentalanciabf57d232009-11-02 18:14:28 +0100[diff] [blame]37.B \-M,\-\-mls
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]38Enable the MLS/MCS support when checking and compiling the policy module.
39.TP
Guido Trentalanciabf57d232009-11-02 18:14:28 +0100[diff] [blame]40.B \-V,\-\-version
Gary Tierney4984a752019-04-17 17:37:30 +0100[diff] [blame]41Show policy versions created by this program.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]42.TP
Guido Trentalanciabf57d232009-11-02 18:14:28 +0100[diff] [blame]43.B \-o,\-\-output filename
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]44Write a binary policy module file to the specified filename.
45Otherwise, checkmodule will only check the syntax of the module source file
46and will not generate a binary module at all.
Guido Trentalanciabf57d232009-11-02 18:14:28 +0100[diff] [blame]47.TP
48.B \-U,\-\-handle-unknown <action>
49Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
Gary Tierney4984a752019-04-17 17:37:30 +0100[diff] [blame]50.TP
51.B \-c policyvers
52Specify the policy version, defaults to the latest.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]53
54.SH EXAMPLE
55.nf
56# Build a MLS/MCS-enabled non-base policy module.
Laurent Bigonvillef074bb32013-05-10 14:45:18 +0200[diff] [blame]57$ checkmodule \-M \-m httpd.te \-o httpd.mod
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]58.fi
59
60.SH "SEE ALSO"
61.B semodule(8), semodule_package(8)
Dan Walsh18e3a8d2012-01-16 12:09:43 -0500[diff] [blame]62SELinux documentation at http://www.nsa.gov/research/selinux,
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]63especially "Configuring the SELinux Policy".
64
65
66.SH AUTHOR
67This manual page was copied from the checkpolicy man page
68written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
69and edited by Dan Walsh <dwalsh@redhat.com>.
Stephen Smalley53bb2a12017-08-17 14:16:06 -0400[diff] [blame]70The program was written by Stephen Smalley <sds@tycho.nsa.gov>.