Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

checkmodule(8) [centos man page]

CHECKMODULE(8)						      System Manager's Manual						    CHECKMODULE(8)

checkmodule - SELinux policy module compiler SYNOPSIS
checkmodule [-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file] DESCRIPTION
This manual page describes the checkmodule command. checkmodule is a program that checks and compiles a SELinux security policy module into a binary representation. It can generate either a base policy module (default) or a non-base policy module (-m option); typically, you would build a non-base policy module to add to an existing module store that already has a base module provided by the base policy. Use semodule_package to combine this module with its optional file contexts to create a policy package, and then use semodule to install the module package into the module store and load the resulting policy. OPTIONS
-b,--binary Read an existing binary policy module file rather than a source policy module file. This option is a development/debugging aid. -h,--help Print usage. -m Generate a non-base policy module. -M,--mls Enable the MLS/MCS support when checking and compiling the policy module. -V,--version Show policy versions created by this program. Note that you cannot currently build older versions. -o,--output filename Write a binary policy module file to the specified filename. Otherwise, checkmodule will only check the syntax of the module source file and will not generate a binary module at all. -U,--handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). EXAMPLE
# Build a MLS/MCS-enabled non-base policy module. $ checkmodule -M -m httpd.te -o httpd.mod SEE ALSO
semodule(8), semodule_package(8) SELinux documentation at, especially "Configuring the SELinux Policy". AUTHOR
This manual page was copied from the checkpolicy man page written by Arpad Magosanyi <>, and edited by Dan Walsh <>. The program was written by Stephen Smalley <>. CHECKMODULE(8)

Check Out this Related Man Page

SEMODULE(8)								NSA							       SEMODULE(8)

semodule - Manage SELinux policy modules. SYNOPSIS
semodule [options]... MODE [MODES]... DESCRIPTION
semodule is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. semodule may also be used to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transac- tion. semodule acts on module packages created by semodule_package. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way. OPTIONS
-R, --reload force a reload of policy -B, --build force a rebuild of policy (also reloads unless -n is used) -D, --disable_dontaudit Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt -i,--install=MODULE_PKG install/replace a module package -u,--upgrade=MODULE_PKG upgrade an existing module package, or install if the module does not exist -b,--base=MODULE_PKG install/replace base module package -d,--disable=MODULE_NAME disable existing module -e,--enable=MODULE_NAME enable existing module -p,--path=ROOTPATH use an alternate root path -r,--remove=MODULE_NAME remove existing module -l,--list-modules display list of installed modules (other than base) -s,--store name of the store to operate on -n,--noreload,-N do not reload policy after commit -h,--help prints help message and quit -P,--preserve_tunables Preserve tunables in policy -v,--verbose be verbose EXAMPLE
# Install or replace a base policy package. $ semodule -b base.pp # Install or replace a non-base policy package. $ semodule -i httpd.pp # List non-base modules. $ semodule -l # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. $ semodule -DB # Turn "dontaudit" rules back on. $ semodule -B # Install or replace all non-base modules in the current directory. $ semodule -i *.pp # Install or replace all modules in the current directory. $ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i SEE ALSO
checkmodule(8), semodule_package(8) AUTHORS
This manual page was written by Dan Walsh <>. The program was written by Karl MacMillan <>, Joshua Brindle <>, Jason Tang <> Security Enhanced Linux Nov 2005 SEMODULE(8)
Man Page