mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-22 14:02:17 +00:00
b87724cbdd
Add the command line argument `-N/--disable-neverallow`, similar to secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of neverallow rule violations. This is mainly useful in development, e.g. to quickly add rules to a policy without fulfilling all neverallow rules or build policies with known violations. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
89 lines
2.8 KiB
Groff
89 lines
2.8 KiB
Groff
.TH CHECKPOLICY 8
|
|
.SH NAME
|
|
checkpolicy \- SELinux policy compiler
|
|
.SH SYNOPSIS
|
|
.B checkpolicy
|
|
.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-N] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
|
|
.br
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR checkpolicy
|
|
command.
|
|
.PP
|
|
.B checkpolicy
|
|
is a program that checks and compiles a SELinux security policy configuration
|
|
into a binary representation that can be loaded into the kernel.
|
|
If no input file name is specified,
|
|
.B checkpolicy
|
|
will attempt to read from policy.conf or policy, depending on whether the \-b
|
|
flag is specified.
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-b,\-\-binary
|
|
Read an existing binary policy file rather than a source policy.conf file.
|
|
.TP
|
|
.B \-F,\-\-conf
|
|
Write policy.conf file rather than binary policy file. Can only be used with binary policy file.
|
|
.TP
|
|
.B \-C,\-\-cil
|
|
Write CIL policy file rather than binary policy file.
|
|
.TP
|
|
.B \-d,\-\-debug
|
|
Enter debug mode after loading the policy.
|
|
.TP
|
|
.B \-U,\-\-handle-unknown <action>
|
|
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
|
|
.TP
|
|
.B \-M,\-\-mls
|
|
Enable the MLS policy when checking and compiling the policy.
|
|
.TP
|
|
.B \-N,\-\-disable-neverallow
|
|
Do not check neverallow rules.
|
|
.TP
|
|
.B \-c policyvers
|
|
Specify the policy version, defaults to the latest.
|
|
.TP
|
|
.B \-o,\-\-output filename
|
|
Write a policy file (binary, policy.conf, or CIL policy)
|
|
to the specified filename. If - is given as filename,
|
|
write it to standard output.
|
|
.TP
|
|
.B \-S,\-\-sort
|
|
Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
|
|
.TP
|
|
.B \-t,\-\-target
|
|
Specify the target platform (selinux or xen).
|
|
.TP
|
|
.B \-O,\-\-optimize
|
|
Optimize the final kernel policy (remove redundant rules).
|
|
.TP
|
|
.B \-E,\-\-werror
|
|
Treat warnings as errors
|
|
.TP
|
|
.B \-V,\-\-version
|
|
Show version information.
|
|
.TP
|
|
.B \-h,\-\-help
|
|
Show usage information.
|
|
|
|
.SH EXAMPLE
|
|
.nf
|
|
Generate policy.conf based on the system policy
|
|
# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
|
|
Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
|
|
Note that binary policy extension represents its version, which is subject to change
|
|
# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
|
|
# load_policy
|
|
Generate CIL representation of current system policy
|
|
# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out
|
|
|
|
.SH "SEE ALSO"
|
|
SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
|
|
|
|
|
|
.SH AUTHOR
|
|
This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
|
|
and edited by Stephen Smalley <sds@tycho.nsa.gov>.
|
|
The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
|