| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1 | .TH CHECKMODULE 8 |
| 2 | .SH NAME |
| 3 | checkmodule \- SELinux policy module compiler |
| 4 | .SH SYNOPSIS |
| 5 | .B checkmodule |
| 6 | .I "[-b] [-m] [-M] [-V] [-o output_file] [input_file]" |
| 7 | .SH "DESCRIPTION" |
| 8 | This manual page describes the |
| 9 | .BR checkmodule |
| 10 | command. |
| 11 | .PP |
| 12 | .B checkmodule |
| 13 | is a program that checks and compiles a SELinux security policy module |
| 14 | into a binary representation. It can generate either a base policy |
| 15 | module (default) or a non-base policy module (-m option); typically, |
| 16 | you would build a non-base policy module to add to an existing module |
| 17 | store that already has a base module provided by the base policy. Use |
| 18 | semodule_package to combine this module with its optional file |
| 19 | contexts to create a policy package, and then use semodule to install |
| 20 | the module package into the module store and load the resulting policy. |
| 21 | |
| 22 | .SH OPTIONS |
| 23 | .TP |
| Guido Trentalancia | bf57d23 | 2009-11-02 18:14:28 +0100 | [diff] [blame^] | 24 | .B \-b,\-\-binary |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 25 | Read an existing binary policy module file rather than a source policy |
| 26 | module file. This option is a development/debugging aid. |
| 27 | .TP |
| 28 | .B \-m |
| 29 | Generate a non-base policy module. |
| 30 | .TP |
| Guido Trentalancia | bf57d23 | 2009-11-02 18:14:28 +0100 | [diff] [blame^] | 31 | .B \-M,\-\-mls |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 32 | Enable the MLS/MCS support when checking and compiling the policy module. |
| 33 | .TP |
| Guido Trentalancia | bf57d23 | 2009-11-02 18:14:28 +0100 | [diff] [blame^] | 34 | .B \-V,\-\-version |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 35 | Show policy versions created by this program |
| 36 | .TP |
| Guido Trentalancia | bf57d23 | 2009-11-02 18:14:28 +0100 | [diff] [blame^] | 37 | .B \-o,\-\-output filename |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 38 | Write a binary policy module file to the specified filename. |
| 39 | Otherwise, checkmodule will only check the syntax of the module source file |
| 40 | and will not generate a binary module at all. |
| Guido Trentalancia | bf57d23 | 2009-11-02 18:14:28 +0100 | [diff] [blame^] | 41 | .TP |
| 42 | .B \-U,\-\-handle-unknown <action> |
| 43 | Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). |
| Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 44 | |
| 45 | .SH EXAMPLE |
| 46 | .nf |
| 47 | # Build a MLS/MCS-enabled non-base policy module. |
| 48 | $ checkmodule -M -m httpd.te -o httpd.mod |
| 49 | .fi |
| 50 | |
| 51 | .SH "SEE ALSO" |
| 52 | .B semodule(8), semodule_package(8) |
| 53 | SELinux documentation at http://www.nsa.gov/selinux, |
| 54 | especially "Configuring the SELinux Policy". |
| 55 | |
| 56 | |
| 57 | .SH AUTHOR |
| 58 | This manual page was copied from the checkpolicy man page |
| 59 | written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>, |
| 60 | and edited by Dan Walsh <dwalsh@redhat.com>. |
| 61 | The program was written by Stephen Smalley <sds@epoch.ncsc.mil>. |