checkmodule - Linux


checkmodule is a tool used to analyze Security-Enhanced Linux (SELinux) module source code or binary modules and check for potential security flaws or policy violations. It helps ensure that SELinux policies are secure, consistent, and maintainable.


checkmodule [options] [module_file]


  • -m: Specify the module type to validate. Can be either "policy" (default) or "cil".
  • -M: Specify the SELinux mode to use for validation. Can be "enforcing" (default), "permissive", or "disabled".
  • -o: Specify the output file. By default, results are printed to the standard output.
  • -v: Enable verbose output with additional information.
  • -h: Display usage information.


Simple Validation:

checkmodule example_module.te

Validation with Specific SELinux Mode:

checkmodule -M permissive example_module.pp

Output to a File:

checkmodule -o validation_report.txt example_module.cil

Common Issues

  • Module Syntax Errors: Make sure the module source code adheres to the SELinux policy language syntax.
  • Duplicate or Conflicting Labels: Check for duplicate or overlapping labels that could lead to policy violations.
  • Undefined Types or Attributes: Ensure that all types and attributes used in the module are properly defined.
  • Insufficient Permissions: Check for missing or incorrect permissions that could allow unauthorized access or operations.


With semanage:

semanage import -m example_module
checkmodule example_module.cil

With audit2allow:

audit2allow -m example_module
checkmodule example_module.te

Related Commands

  • semanage: Manage SELinux policies and configuration.
  • audit2allow: Generate SELinux policies based on system audit events.