checkpolicy - Linux

Overview

checkpolicy scans Security-Enhanced Linux (SELinux) policy modules for potential policy violations and issues warnings or errors as appropriate. It helps administrators and developers ensure the correctness and consistency of SELinux policies.

Syntax

checkpolicy [-V] [-d] [-b] [-n] [-t] [-1] [-p FILE] [-f FILE] [-c FILE]

Options/Flags

• -V: Print version and exit.
• -d: Disable debugging messages.
• -b: Batch mode (suppress warnings).
• -n: Don’t print output.
• -t: Test mode (don’t modify policy).
• -1: Print only the first error or warning.
• -p FILE: Load policy from FILE.
• -f FILE: Append policy from FILE.
• -c FILE: Check policy against context FILE.

Examples

Basic usage:

checkpolicy

Disable debugging messages:

checkpolicy -d

Test a policy module:

checkpolicy -t mypolicy.te

Common Issues

• Error: Permission denied: Ensure you have sufficient permissions to run checkpolicy.
• Error: Is selinux enabled?: Check if SELinux is enabled on the system.
• Warning: Policy uses permissive_deny_unknown: This warning indicates potential security risks. Consider using permissive_deny_none instead.

Integration

checkpolicy can be used with other SELinux tools, such as sepolicy-generate, to develop and enforce SELinux policies.

Related Commands

• sepolicy-generate: Generates initial SELinux policy modules.
• sepolicy-manage: Manages SELinux policy modules.
• SELinux documentation