Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

checkmodule(8) [debian man page]

CHECKMODULE(8)						      System Manager's Manual						    CHECKMODULE(8)

NAME

       checkmodule - SELinux policy module compiler

SYNOPSIS

       checkmodule [-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]

DESCRIPTION

       This manual page describes the checkmodule command.

       checkmodule  is a program that checks and compiles a SELinux security policy module into a binary representation.  It can generate either a
       base policy module (default) or a non-base policy module (-m option); typically, you would build a non-base policy  module  to  add  to	an
       existing  module  store	that  already has a base module provided by the base policy.  Use semodule_package to combine this module with its
       optional file contexts to create a policy package, and then use semodule to install the module package into the module store and  load  the
       resulting policy.

OPTIONS

       -b,--binary
	      Read an existing binary policy module file rather than a source policy module file.  This option is a development/debugging aid.

       -h,--help
	      Print usage.

       -m     Generate a non-base policy module.

       -M,--mls
	      Enable the MLS/MCS support when checking and compiling the policy module.

       -V,--version
	       Show policy versions created by this program.  Note that you cannot currently build older versions.

       -o,--output filename
	      Write a binary policy module file to the specified filename.  Otherwise, checkmodule will only check the syntax of the module source
	      file and will not generate a binary module at all.

       -U,--handle-unknown <action>
	      Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

EXAMPLE

       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod

SEE ALSO

       semodule(8), semodule_package(8) SELinux documentation at http://www.nsa.gov/selinux, especially "Configuring the SELinux Policy".

AUTHOR

       This manual page was copied from the checkpolicy man page written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>, and  edited  by	Dan  Walsh
       <dwalsh@redhat.com>.  The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.

																    CHECKMODULE(8)

Check Out this Related Man Page

sediffx(1)                                                    General Commands Manual                                                   sediffx(1)

NAME

       sediffx - graphical SELinux policy difference tool

SYNOPSIS

       sediffx [-d] [ORIGINAL_POLICY ; MODIFIED_POLICY]

DESCRIPTION

       sediffx  allows  the  user to graphically inspect the semantic differences between two SELinux policies.  All supported policy elements are
       examined.

POLICY

       sediffx supports loading SELinux policies in one of four formats.

       source A single text file containing policy source for versions 12 through 21. This file is usually named policy.conf.

       binary A single file containing a monolithic kernel binary policy for versions 15 through 21. This file is usually named by version  -  for
              example, policy.20.

       modular
              A list of policy packages each containing a loadable policy module. The first module listed must be a base module.

       policy list
              A single text file containing all the information needed to load a policy, usually exported by SETools graphical utilities.

       Policies do not need to be the same format. If not provided sediffx will begin with no policies loaded.

OPTIONS

       -d, --diff-now
              Load the policies and differentiate them immediately.  This option requires the user to specify the policies on the command line.

       -h, --help
              Print help information and exit.

       -V, --version
              Print version information and exit.

DIFFERENCES

       sediffx categorizes differences in policy elements into one of three forms.

              added  The element exists only in the modified policy.

              removed
                     The element exists only in the original policy.

              modified
                     The  element  exists  in both policies but its semantic meaning has changed.  For example, a class is modified if one or more
                     permissions are added or removed.

       For all rules with types as their source or target, two additional forms of difference are recognized.  This helps distinguish  differences
       due to new types from differences in rules for existing types.

              added, new type
                     The  rule  exists only in the modified policy; furthermore, one or more of the types in the rule do not exist in the original
                     policy.

              removed, missing type
                     The rule exists only in the original policy; furthermore, one or more of the types in the rule do not exist in  the  modified
                     policy.

NOTE

       Most shells interpret the semicolon as a metacharacter, thus requiring a backslash like so: sediffx original.policy ; modified.policy

AUTHOR

       This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.

COPYRIGHT

       Copyright(C) 2005-2007 Tresys Technology, LLC

BUGS

       Please report bugs via an email to setools-bugs@tresys.com.

SEE ALSO

       sediff(1)

                                                                                                                                        sediffx(1)
Man Page