checkpolicy - Linux


checkpolicy scans Security-Enhanced Linux (SELinux) policy modules for potential policy violations and issues warnings or errors as appropriate. It helps administrators and developers ensure the correctness and consistency of SELinux policies.


checkpolicy [-V] [-d] [-b] [-n] [-t] [-1] [-p FILE] [-f FILE] [-c FILE]


  • -V: Print version and exit.
  • -d: Disable debugging messages.
  • -b: Batch mode (suppress warnings).
  • -n: Don’t print output.
  • -t: Test mode (don’t modify policy).
  • -1: Print only the first error or warning.
  • -p FILE: Load policy from FILE.
  • -f FILE: Append policy from FILE.
  • -c FILE: Check policy against context FILE.


Basic usage:


Disable debugging messages:

checkpolicy -d

Test a policy module:

checkpolicy -t mypolicy.te

Common Issues

  • Error: Permission denied: Ensure you have sufficient permissions to run checkpolicy.
  • Error: Is selinux enabled?: Check if SELinux is enabled on the system.
  • Warning: Policy uses permissive_deny_unknown: This warning indicates potential security risks. Consider using permissive_deny_none instead.


checkpolicy can be used with other SELinux tools, such as sepolicy-generate, to develop and enforce SELinux policies.

Related Commands

  • sepolicy-generate: Generates initial SELinux policy modules.
  • sepolicy-manage: Manages SELinux policy modules.
  • SELinux documentation