Provided by: checkpolicy_2.9-2_amd64 bug


       checkmodule - SELinux policy module compiler


       checkmodule  [-h]  [-b]  [-C]  [-m]  [-M]  [-U  handle_unknown  ]  [-V]  [-o  output_file]


       This manual page describes the checkmodule command.

       checkmodule is a program that checks and compiles a SELinux security policy module into  a
       binary  representation.   It  can generate either a base policy module (default) or a non-
       base policy module (-m option); typically, you would build a non-base policy module to add
       to  an  existing  module store that already has a base module provided by the base policy.
       Use semodule_package to combine this module with its optional file contexts  to  create  a
       policy  package, and then use semodule to install the module package into the module store
       and load the resulting policy.


              Read an existing binary policy module file rather than a source policy module file.
              This option is a development/debugging aid.

              Write CIL policy file rather than binary policy file.

              Print usage.

       -m     Generate a non-base policy module.

              Enable the MLS/MCS support when checking and compiling the policy module.

               Show  policy  versions  created  by  this program.  Note that you cannot currently
              build older versions.

       -o,--output filename
              Write  a  binary  policy  module  file  to  the  specified  filename.    Otherwise,
              checkmodule  will  only  check  the  syntax  of the module source file and will not
              generate a binary module at all.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or permissions (deny, allow or


       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod


       semodule(8),          semodule_package(8)         SELinux         documentation         at, especially "Configuring the SELinux Policy".


       This manual page was copied from the checkpolicy  man  page  written  by  Arpad  Magosanyi
       <>,  and  edited by Dan Walsh <>.  The program was
       written by Stephen Smalley <>.