CHECKMODULE(8)             System Manager's Manual            CHECKMODULE(8)

NAME         top

       checkmodule - SELinux policy module compiler

SYNOPSIS         top

       checkmodule [-h] [-b] [-C] [-m] [-M] [-U handle_unknown ] [-V] [-o
       output_file] [input_file]

DESCRIPTION         top

       This manual page describes the checkmodule command.

       checkmodule is a program that checks and compiles a SELinux security
       policy module into a binary representation.  It can generate either a
       base policy module (default) or a non-base policy module (-m option);
       typically, you would build a non-base policy module to add to an
       existing module store that already has a base module provided by the
       base policy.  Use semodule_package to combine this module with its
       optional file contexts to create a policy package, and then use
       semodule to install the module package into the module store and load
       the resulting policy.

OPTIONS         top

              Read an existing binary policy module file rather than a
              source policy module file.  This option is a
              development/debugging aid.

              Write CIL policy file rather than binary policy file.

              Print usage.

       -m     Generate a non-base policy module.

              Enable the MLS/MCS support when checking and compiling the
              policy module.

               Show policy versions created by this program.  Note that you
              cannot currently build older versions.

       -o,--output filename
              Write a binary policy module file to the specified filename.
              Otherwise, checkmodule will only check the syntax of the
              module source file and will not generate a binary module at

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or
              permissions (deny, allow or reject).

EXAMPLE         top

       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod

SEE ALSO         top

       semodule(8), semodule_package(8) SELinux documentation at, especially "Configuring the
       SELinux Policy".

AUTHOR         top

       This manual page was copied from the checkpolicy man page written by
       Arpad Magosanyi <>, and edited by Dan Walsh
       <>.  The program was written by Stephen Smalley

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see 
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-03-13.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail