mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-22 14:02:17 +00:00
b87724cbdd
Add the command line argument `-N/--disable-neverallow`, similar to secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of neverallow rule violations. This is mainly useful in development, e.g. to quickly add rules to a policy without fulfilling all neverallow rules or build policies with known violations. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
79 lines
2.3 KiB
Groff
79 lines
2.3 KiB
Groff
.TH CHECKMODULE 8
|
|
.SH NAME
|
|
checkmodule \- SELinux policy module compiler
|
|
.SH SYNOPSIS
|
|
.B checkmodule
|
|
.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR checkmodule
|
|
command.
|
|
.PP
|
|
.B checkmodule
|
|
is a program that checks and compiles a SELinux security policy module
|
|
into a binary representation. It can generate either a base policy
|
|
module (default) or a non-base policy module (\-m option); typically,
|
|
you would build a non-base policy module to add to an existing module
|
|
store that already has a base module provided by the base policy. Use
|
|
.B semodule_package(8)
|
|
to combine this module with its optional file
|
|
contexts to create a policy package, and then use
|
|
.B semodule(8)
|
|
to install the module package into the module store and load the resulting
|
|
policy.
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-b,\-\-binary
|
|
Read an existing binary policy module file rather than a source policy
|
|
module file. This option is a development/debugging aid.
|
|
.TP
|
|
.B \-C,\-\-cil
|
|
Write CIL policy file rather than binary policy file.
|
|
.TP
|
|
.B \-E,\-\-werror
|
|
Treat warnings as errors
|
|
.TP
|
|
.B \-h,\-\-help
|
|
Print usage.
|
|
.TP
|
|
.B \-m
|
|
Generate a non-base policy module.
|
|
.TP
|
|
.B \-M,\-\-mls
|
|
Enable the MLS/MCS support when checking and compiling the policy module.
|
|
.TP
|
|
.B \-N,\-\-disable-neverallow
|
|
Do not check neverallow rules.
|
|
.TP
|
|
.B \-V,\-\-version
|
|
Show policy versions created by this program.
|
|
.TP
|
|
.B \-o,\-\-output filename
|
|
Write a binary policy module file to the specified filename.
|
|
Otherwise, checkmodule will only check the syntax of the module source file
|
|
and will not generate a binary module at all.
|
|
.TP
|
|
.B \-U,\-\-handle-unknown <action>
|
|
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
|
|
.TP
|
|
.B \-c policyvers
|
|
Specify the policy version, defaults to the latest.
|
|
|
|
.SH EXAMPLE
|
|
.nf
|
|
# Build a MLS/MCS-enabled non-base policy module.
|
|
$ checkmodule \-M \-m httpd.te \-o httpd.mod
|
|
.fi
|
|
|
|
.SH "SEE ALSO"
|
|
.B semodule(8), semodule_package(8)
|
|
SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
|
|
|
|
|
|
.SH AUTHOR
|
|
This manual page was copied from the checkpolicy man page
|
|
written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
|
|
and edited by Dan Walsh <dwalsh@redhat.com>.
|
|
The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
|