Provided by: checkpolicy_3.9-1_amd64 bug

NAME
       checkmodule - SELinux policy module compiler


SYNOPSIS
       checkmodule  [-h]  [-b]  [-c  policy_version]  [-C] [-E] [-m] [-M] [-N] [-L] [-U handle_unknown] [-V] [-o
       output_file] [input_file]


DESCRIPTION
       This manual page describes the checkmodule command.

       checkmodule is a program that checks and  compiles  a  SELinux  security  policy  module  into  a  binary
       representation.   It  can  generate either a base policy module (default) or a non-base policy module (-m
       option); typically, you would build a non-base policy module to add to  an  existing  module  store  that
       already  has  a  base module provided by the base policy.  Use semodule_package(8) to combine this module
       with its optional file contexts to create a policy package, and  then  use  semodule(8)  to  install  the
       module package into the module store and load the resulting policy.


OPTIONS
       -b,--binary
              Read  an  existing binary policy module file rather than a source policy module file.  This option
              is a development/debugging aid.

       -C,--cil
              Write CIL policy file rather than binary policy file.

       -E,--werror
              Treat warnings as errors

       -h,--help
              Print usage.

       -m     Generate a non-base policy module.

       -M,--mls
              Enable the MLS/MCS support when checking and compiling the policy module.

       -N,--disable-neverallow
              Do not check neverallow rules.

       -L,--line-marker-for-allow
              Output line markers for allow rules, in addition to neverallow rules. This  option  increases  the
              size  of  the  output CIL policy file, but the additional line markers helps debugging, especially
              neverallow failure reports. Can only be used when writing a CIL policy file.

       -V,--version
              Show policy versions created by this program.

       -o,--output filename
              Write a binary policy module file to the specified filename.   Otherwise,  checkmodule  will  only
              check the syntax of the module source file and will not generate a binary module at all.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

       -c policyvers
              Specify the policy version, defaults to the latest.


EXAMPLE
       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod


SEE ALSO
       semodule(8),       semodule_package(8)      SELinux      Reference      Policy      documentation      at
       https://github.com/SELinuxProject/refpolicy/wiki


AUTHOR
       This  manual  page  was  copied  from   the   checkpolicy   man   page   written   by   Árpád   Magosányi
       <mag@bunuel.tii.matav.hu>, and edited by Dan Walsh <dwalsh@redhat.com>.

                                                                                                  CHECKMODULE(8)