checkpolicy(8) — Linux manual page


CHECKPOLICY(8)             System Manager's Manual            CHECKPOLICY(8)

NAME         top

       checkpolicy - SELinux policy compiler

SYNOPSIS         top

       checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)]
       [-M] [-c policyvers] [-o output_file|-] [-S] [-t target_platform
       (selinux,xen)] [-V] [input_file]

DESCRIPTION         top

       This manual page describes the checkpolicy command.

       checkpolicy is a program that checks and compiles a SELinux security
       policy configuration into a binary representation that can be loaded
       into the kernel.  If no input file name is specified, checkpolicy
       will attempt to read from policy.conf or policy, depending on whether
       the -b flag is specified.

OPTIONS         top

              Read an existing binary policy file rather than a source
              policy.conf file.

              Write policy.conf file rather than binary policy file. Can
              only be used with binary policy file.

              Write CIL policy file rather than binary policy file.

              Enter debug mode after loading the policy.

       -U,--handle-unknown <action>
              Specify how the kernel should handle unknown classes or
              permissions (deny, allow or reject).

              Enable the MLS policy when checking and compiling the policy.

       -c policyvers
              Specify the policy version, defaults to the latest.

       -o,--output filename
              Write a policy file (binary, policy.conf, or CIL policy) to
              the specified filename. If - is given as filename, write it to
              standard output.

              Sort ocontexts before writing out the binary policy. This
              option makes output of checkpolicy consistent with binary
              policies created by semanage and secilc.

              Specify the target platform (selinux or xen).

              Optimize the final kernel policy (remove redundant rules).

              Treat warnings as errors

              Show version information.

              Show usage information.

SEE ALSO         top

       SELinux Reference Policy documentation at

AUTHOR         top

       This manual page was written by Árpád Magosányi
       <>, and edited by Stephen Smalley
       <>.  The program was written by Stephen Smalley

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-08-13.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-08-11.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to


Pages that refer to this page: restorecon(8)setfiles(8)