checkpolicy/checkmodule.8 - platform/external/selinux - Git at Google

 .TH CHECKMODULE 8
 .SH NAME
 checkmodule \- SELinux policy module compiler
 .SH SYNOPSIS
 .B checkmodule
 .I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-L] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
 .SH "DESCRIPTION"
 This manual page describes the
 .BR checkmodule
 command.
 .PP
 .B checkmodule
 is a program that checks and compiles a SELinux security policy module
 into a binary representation.  It can generate either a base policy
 module (default) or a non-base policy module (\-m option); typically,
 you would build a non-base policy module to add to an existing module
 store that already has a base module provided by the base policy.  Use
 .B semodule_package(8)
 to combine this module with its optional file
 contexts to create a policy package, and then use
 .B semodule(8)
 to install the module package into the module store and load the resulting
 policy.

 .SH OPTIONS
 .TP
 .B \-b,\-\-binary
 Read an existing binary policy module file rather than a source policy
 module file.  This option is a development/debugging aid.
 .TP
 .B \-C,\-\-cil
 Write CIL policy file rather than binary policy file.
 .TP
 .B \-E,\-\-werror
 Treat warnings as errors
 .TP
 .B \-h,\-\-help
 Print usage.
 .TP
 .B \-m
 Generate a non-base policy module.
 .TP
 .B \-M,\-\-mls
 Enable the MLS/MCS support when checking and compiling the policy module.
 .TP
 .B \-N,\-\-disable-neverallow
 Do not check neverallow rules.
 .TP
 .B \-L,\-\-line-marker-for-allow
 Output line markers for allow rules, in addition to neverallow rules. This option increases the size
 of the output CIL policy file, but the additional line markers helps debugging, especially
 neverallow failure reports. Can only be used when writing a CIL policy file.
 .TP
 .B \-V,\-\-version
 Show policy versions created by this program.
 .TP
 .B \-o,\-\-output filename
 Write a binary policy module file to the specified filename.
 Otherwise, checkmodule will only check the syntax of the module source file
 and will not generate a binary module at all.
 .TP
 .B \-U,\-\-handle-unknown <action>
 Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
 .TP
 .B \-c policyvers
 Specify the policy version, defaults to the latest.

 .SH EXAMPLE
 .nf
 # Build a MLS/MCS-enabled non-base policy module.
 $ checkmodule \-M \-m httpd.te \-o httpd.mod
 .fi

 .SH "SEE ALSO"
 .B semodule(8), semodule_package(8)
 SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki


 .SH AUTHOR
 This manual page was copied from the checkpolicy man page
 written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
 and edited by Dan Walsh <dwalsh@redhat.com>.
	.TH CHECKMODULE 8
	.SH NAME
	checkmodule \- SELinux policy module compiler
	.SH SYNOPSIS
	.B checkmodule
	.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-L] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
	.SH "DESCRIPTION"
	This manual page describes the
	.BR checkmodule
	command.
	.PP
	.B checkmodule
	is a program that checks and compiles a SELinux security policy module
	into a binary representation. It can generate either a base policy
	module (default) or a non-base policy module (\-m option); typically,
	you would build a non-base policy module to add to an existing module
	store that already has a base module provided by the base policy. Use
	.B semodule_package(8)
	to combine this module with its optional file
	contexts to create a policy package, and then use
	.B semodule(8)
	to install the module package into the module store and load the resulting
	policy.

	.SH OPTIONS
	.TP
	.B \-b,\-\-binary
	Read an existing binary policy module file rather than a source policy
	module file. This option is a development/debugging aid.
	.TP
	.B \-C,\-\-cil
	Write CIL policy file rather than binary policy file.
	.TP
	.B \-E,\-\-werror
	Treat warnings as errors
	.TP
	.B \-h,\-\-help
	Print usage.
	.TP
	.B \-m
	Generate a non-base policy module.
	.TP
	.B \-M,\-\-mls
	Enable the MLS/MCS support when checking and compiling the policy module.
	.TP
	.B \-N,\-\-disable-neverallow
	Do not check neverallow rules.
	.TP
	.B \-L,\-\-line-marker-for-allow
	Output line markers for allow rules, in addition to neverallow rules. This option increases the size
	of the output CIL policy file, but the additional line markers helps debugging, especially
	neverallow failure reports. Can only be used when writing a CIL policy file.
	.TP
	.B \-V,\-\-version
	Show policy versions created by this program.
	.TP
	.B \-o,\-\-output filename
	Write a binary policy module file to the specified filename.
	Otherwise, checkmodule will only check the syntax of the module source file
	and will not generate a binary module at all.
	.TP
	.B \-U,\-\-handle-unknown <action>
	Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
	.TP
	.B \-c policyvers
	Specify the policy version, defaults to the latest.

	.SH EXAMPLE
	.nf
	# Build a MLS/MCS-enabled non-base policy module.
	$ checkmodule \-M \-m httpd.te \-o httpd.mod
	.fi

	.SH "SEE ALSO"
	.B semodule(8), semodule_package(8)
	SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki


	.SH AUTHOR
	This manual page was copied from the checkpolicy man page
	written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
	and edited by Dan Walsh <dwalsh@redhat.com>.