Provided by: checkpolicy_3.9-1_amd64 bug

NAME
       checkpolicy - SELinux policy compiler


SYNOPSIS
       checkpolicy  [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-N] [-L] [-c policyvers] [-o
       output_file|-] [-S] [-t target_platform (selinux,xen)] [-O] [-E] [-V] [input_file]


DESCRIPTION
       This manual page describes the checkpolicy command.

       checkpolicy is a program that checks and compiles a SELinux security policy configuration into  a  binary
       representation  that can be loaded into the kernel.  If no input file name is specified, checkpolicy will
       attempt to read from policy.conf or policy, depending on whether the -b flag is specified.


OPTIONS
       -b,--binary
              Read an existing binary policy file rather than a source policy.conf file.

       -F,--conf
              Write policy.conf file rather than binary policy file. Can only be used with binary policy file.

       -C,--cil
              Write CIL policy file rather than binary policy file.

       -d,--debug
              Enter debug mode after loading the policy.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

       -M,--mls
              Enable the MLS policy when checking and compiling the policy.

       -N,--disable-neverallow
              Do not check neverallow rules.

       -L,--line-marker-for-allow
              Output line markers for allow rules, in addition to neverallow rules. This  option  increases  the
              size  of  the  output CIL policy file, but the additional line markers helps debugging, especially
              neverallow failure reports. Can only be used when writing a CIL policy file.

       -c policyvers
              Specify the policy version, defaults to the latest.

       -o,--output filename
              Write a policy file (binary, policy.conf, or CIL policy) to the specified filename. If - is  given
              as filename, write it to standard output.

       -S,--sort
              Sort  ocontexts  before  writing  out  the  binary policy. This option makes output of checkpolicy
              consistent with binary policies created by semanage and secilc.

       -t,--target
              Specify the target platform (selinux or xen).

       -O,--optimize
              Optimize the final kernel policy (remove redundant rules).

       -E,--werror
              Treat warnings as errors

       -V,--version
              Show version information.

       -h,--help
              Show usage information.


EXAMPLE
       Generate policy.conf based on the system policy
       # checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.33 -o policy.conf
       Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
       Note that binary policy extension represents its version, which is subject to change
       # checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
       # load_policy
       Generate CIL representation of current system policy
       # checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.33 -o policy.out


SEE ALSO
       SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki


AUTHOR
       This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>, and edited by Stephen  Smalley
       <stephen.smalley.work@gmail.com>.      The     program     was     written     by     Stephen     Smalley
       <stephen.smalley.work@gmail.com>.

                                                                                                  CHECKPOLICY(8)