- Unix Commands Reference
- Unix Commands - Home
checkmodule Command in Linux
The checkmodule is a Linux command used for checking and compiling SELinux security policy modules into a binary representation. These modules define access controls and permissions for processes and files. You can use checkmodule command to generate either a base policy module (the default one), or a non-base policy module.
Table of Contents
- Installation of checkmodule in Linux
- Syntax for checkmodule in Linux
- Different Available Options for checkmodule Command
- Examples of checkmodule Command in Linux
Installation of checkmodule in Linux
You may find checkmodule preinstalled on a few Linux systems, however, in most systems, you have to manually install this command-line utility. To install and use the checkmodule utility, you must install the checkpolicy package on your system. The checkpolicy package includes the checkmodule command.
Depending on your operating systems, you can use the desired package manager to install the checkpolicy package.
The Debian and Ubuntu users can install checkpolicy package on their systems from the apt install command given below −
sudo apt install checkpolicy
Red Hat, CentOS and Fedora users can install checkpolicy package from the yum package manager through the below-provided command −
sudo yum install checkpolicy
On Arch Linux, you can use the pacman package manager to install checkpolicy package on your system −
sudo pacman -S checkpolicy
Once you complete the checkpolicy installation, you can use the following command to confirm checkmodule is installed on Linux −
checkmodule --version
Syntax for checkmodule Command in Linux
The basic syntax to use the checkmodule command on Linux is given below −
checkmodule [-h] [-b] [-C] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]
Different Options Available for checkmodule Command
With checkmodule command, you can use different options, which are described in the table provided below −
| Option | Description |
|---|---|
| -b, --binary | Read an existing binary policy module file instead of a source policy module file (useful for debugging). |
| -h, --help | Print usage information. |
| -m | Generate a non-base policy module. |
| -C, --cil | Write a CIL policy file instead of a binary policy file. |
| -E, --werror | Consider warnings as errors. |
| -M, --mls | Enable MLS/MCS support when checking and compiling the policy module. |
| -o, --output filename | Write a binary policy module file to the desired filename. If not provided, only syntax checking is performed without generating a binary module. |
| -V, --version | Display the policy versions created by this utility. |
| -U, --handle-unknown <action> | Specify how the kernel handles unknown permissions or classes (deny, allow, or reject). |
| -c policyvers | Specify the policy version. The default is set to the latest. |
Examples of checkmodule Command in Linux
Let’s explore a few examples of checkmodule command on Linux −
- Compile a Base Policy Module
- Build a Non-Base Policy Module
- Compile with CIL
- Handle Unknown Classes or Permissions
- Check Syntax without Generating Binary Module
- Compile with Warning as Errors
Compile a Base Policy Module
If you want to compile the policy with checkmodule to produce an intermediate binary policy file, you can use the -o followed by the specified file name. For example, ito generate an intermediate binary policy module named intermediate.mod, the following command will be used −
checkmodule -o intermediate.mod policy.conf
If you want to compile a base policy module with binary input, you can add -b option as well. Here is an example −
checkmodule -b -o base_from_binary.mod base_from_binary.bin
Build a Non-Base Policy Module (MLS/MCS-Enabled)
If you want to generate a non-base policy module, which is normally used to add to an existing module store, simply add -M option. The following example will create a non-base policy module named http.mod −
checkmodule -M -m httpd.te -o httpd.mod
Compile with CIL (Common Intermediate Language)
For writing a CIL policy file instead of a binary policy file on Linux, use the -C. For example, the following command will produce a CIL policy file named cil_policy.cil −
checkmodule -C -o cil_policy.cil policy.conf
Handle Unknown Classes or Permissions
To specify how the kernel handles the unknown classes or permissions, you can simply use the -U option followed by the desired action. For example, to generate a custom policy module with the specified handling for unknown elements, you can use the below-given command −
checkmodule -Udeny -o custom_policy.mod custom_policy.conf
Check Syntax without Generating Binary Module
To check the syntax of a module source file without generating a binary module using the checkmodule command, you can use the -o option followed by the desired output filename. Here is an example that validate the syntax of the syntax_check.conf module source file and report any errors or warnings −
checkmodule -c 30 -o syntax_check.mod syntax_check.conf
Compile with Warning as Errors
To treat warnings as errors, you can consider adding -E option with the checkmodule command followed by the desired output filename. The example for such scenario is given below −
checkmodule -E -o strict_policy.mod strict_policy.conf
This ensures that any warnings encountered halt the compilation process.
Conclusion
checkmodule is a basic package of checkpolicy that can be installed on any Linux system from their desired package manager. In this tutorial, we have explored the installation of checkmodule, covering its syntax and various options. Apart from that, practical examples are also provided to help people in compiling base policy modules or creating custom policies.