selinux/checkpolicy/checkpolicy.8
Daniel Burgener 62a91d7d71 checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.
When the lexer encounters an unexpected character in a policy source file, it prints a warning, discards the character and moves on.  In some build environments, these characters could be a symptom of an earlier problem, such as unintended results of expansion of preprocessor macros, and the ability to have the compiler halt on such issues would be helpful for diagnosis.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-11 14:39:39 -04:00

73 lines
2.2 KiB
Groff

.TH CHECKPOLICY 8
.SH NAME
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
.BR checkpolicy
command.
.PP
.B checkpolicy
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
policy.conf or policy, depending on whether the \-b flag is specified.
.SH OPTIONS
.TP
.B \-b,\-\-binary
Read an existing binary policy file rather than a source policy.conf file.
.TP
.B \-F,\-\-conf
Write policy.conf file rather than binary policy file. Can only be used with binary policy file.
.TP
.B \-C,\-\-cil
Write CIL policy file rather than binary policy file.
.TP
.B \-d,\-\-debug
Enter debug mode after loading the policy.
.TP
.B \-U,\-\-handle-unknown <action>
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
.TP
.B \-M,\-\-mls
Enable the MLS policy when checking and compiling the policy.
.TP
.B \-c policyvers
Specify the policy version, defaults to the latest.
.TP
.B \-o,\-\-output filename
Write a policy file (binary, policy.conf, or CIL policy)
to the specified filename. If - is given as filename,
write it to standard output.
.TP
.B \-S,\-\-sort
Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
.TP
.B \-t,\-\-target
Specify the target platform (selinux or xen).
.TP
.B \-O,\-\-optimize
Optimize the final kernel policy (remove redundant rules).
.TP
.B \-E,\-\-werror
Treat warnings as errors
.TP
.B \-V,\-\-version
Show version information.
.TP
.B \-h,\-\-help
Show usage information.
.SH "SEE ALSO"
SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
.SH AUTHOR
This manual page was written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
and edited by Stephen Smalley <sds@tycho.nsa.gov>.
The program was written by Stephen Smalley <sds@tycho.nsa.gov>.