Provided by: checkpolicy_3.7-1_amd64 bug

NAME
       checkpolicy - SELinux policy compiler


SYNOPSIS
       checkpolicy  [-b[F]]  [-C]  [-d]  [-U  handle_unknown  (allow,deny,reject)]  [-M] [-N] [-c
       policyvers] [-o output_file|-] [-S] [-t  target_platform  (selinux,xen)]  [-O]  [-E]  [-V]
       [input_file]


DESCRIPTION
       This manual page describes the checkpolicy command.

       checkpolicy  is a program that checks and compiles a SELinux security policy configuration
       into a binary representation that can be loaded into the kernel.  If no input file name is
       specified,  checkpolicy  will  attempt  to  read  from policy.conf or policy, depending on
       whether the -b flag is specified.


OPTIONS
       -b,--binary
              Read an existing binary policy file rather than a source policy.conf file.

       -F,--conf
              Write policy.conf file rather than binary policy file. Can only be used with binary
              policy file.

       -C,--cil
              Write CIL policy file rather than binary policy file.

       -d,--debug
              Enter debug mode after loading the policy.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or permissions (deny, allow or
              reject).

       -M,--mls
              Enable the MLS policy when checking and compiling the policy.

       -N,--disable-neverallow
              Do not check neverallow rules.

       -c policyvers
              Specify the policy version, defaults to the latest.

       -o,--output filename
              Write a policy file (binary, policy.conf, or CIL policy) to the specified filename.
              If - is given as filename, write it to standard output.

       -S,--sort
              Sort  ocontexts  before  writing out the binary policy. This option makes output of
              checkpolicy consistent with binary policies created by semanage and secilc.

       -t,--target
              Specify the target platform (selinux or xen).

       -O,--optimize
              Optimize the final kernel policy (remove redundant rules).

       -E,--werror
              Treat warnings as errors

       -V,--version
              Show version information.

       -h,--help
              Show usage information.


EXAMPLE
       Generate policy.conf based on the system policy
       # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
       Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
       Note that binary policy extension represents its version, which is subject to change
       # checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
       # load_policy
       Generate CIL representation of current system policy
       # checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out


SEE ALSO
       SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki


AUTHOR
       This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>, and  edited  by
       Stephen  Smalley  <stephen.smalley.work@gmail.com>.   The  program  was written by Stephen
       Smalley <stephen.smalley.work@gmail.com>.

                                                                                   CHECKPOLICY(8)