checkmodule(8) — Linux manual page


CHECKMODULE(8)           System Manager's Manual          CHECKMODULE(8)

NAME         top

       checkmodule - SELinux policy module compiler

SYNOPSIS         top

       checkmodule [-h] [-b] [-c policy_version] [-C] [-E] [-m] [-M] [-U
       handle_unknown] [-V] [-o output_file] [input_file]

DESCRIPTION         top

       This manual page describes the checkmodule command.

       checkmodule is a program that checks and compiles a SELinux
       security policy module into a binary representation.  It can
       generate either a base policy module (default) or a non-base
       policy module (-m option); typically, you would build a non-base
       policy module to add to an existing module store that already has
       a base module provided by the base policy.  Use
       semodule_package(8) to combine this module with its optional file
       contexts to create a policy package, and then use semodule(8) to
       install the module package into the module store and load the
       resulting policy.

OPTIONS         top

              Read an existing binary policy module file rather than a
              source policy module file.  This option is a
              development/debugging aid.

              Write CIL policy file rather than binary policy file.

              Treat warnings as errors

              Print usage.

       -m     Generate a non-base policy module.

              Enable the MLS/MCS support when checking and compiling the
              policy module.

              Show policy versions created by this program.

       -o,--output filename
              Write a binary policy module file to the specified
              filename.  Otherwise, checkmodule will only check the
              syntax of the module source file and will not generate a
              binary module at all.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or
              permissions (deny, allow or reject).

       -c policyvers
              Specify the policy version, defaults to the latest.

EXAMPLE         top

       # Build a MLS/MCS-enabled non-base policy module.
       $ checkmodule -M -m httpd.te -o httpd.mod

SEE ALSO         top

       semodule(8), semodule_package(8) SELinux Reference Policy
       documentation at

AUTHOR         top

       This manual page was copied from the checkpolicy man page written
       by Árpád Magosányi <>, and edited by Dan
       Walsh <>.  The program was written by Stephen
       Smalley <>.

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨⟩.  If you have a
       bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to


Pages that refer to this page: semodule(8)