CHECKMODULE(8)             System Manager's Manual            CHECKMODULE(8)

NAME         top

       checkmodule - SELinux policy module compiler

SYNOPSIS         top

       checkmodule [-h] [-b] [-C] [-m] [-M] [-U handle_unknown ] [-V] [-o
       output_file] [input_file]

DESCRIPTION         top

       This manual page describes the checkmodule command.

       checkmodule is a program that checks and compiles a SELinux security
       policy module into a binary representation.  It can generate either a
       base policy module (default) or a non-base policy module (-m option);
       typically, you would build a non-base policy module to add to an
       existing module store that already has a base module provided by the
       base policy.  Use semodule_package to combine this module with its
       optional file contexts to create a policy package, and then use
       semodule to install the module package into the module store and load
       the resulting policy.

OPTIONS         top

              Read an existing binary policy module file rather than a
              source policy module file.  This option is a
              development/debugging aid.

              Write CIL policy file rather than binary policy file.

              Print usage.

       -m     Generate a non-base policy module.

              Enable the MLS/MCS support when checking and compiling the
              policy module.

              Show policy versions created by this program.

       -o,--output filename
              Write a binary policy module file to the specified filename.
              Otherwise, checkmodule will only check the syntax of the
              module source file and will not generate a binary module at

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or
              permissions (deny, allow or reject).

       -c policyvers
              Specify the policy version, defaults to the latest.

EXAMPLE         top

       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod

SEE ALSO         top

       semodule(8), semodule_package(8) SELinux Reference Policy
       documentation at

AUTHOR         top

       This manual page was copied from the checkpolicy man page written by
       Arpad Magosanyi <>, and edited by Dan Walsh
       <>.  The program was written by Stephen Smalley

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-02-08.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-02-06.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to


Pages that refer to this page: semodule(8)