- Unix Commands Reference
- Unix Commands - Home
checkpolicy Command in Linux
checkpolicy is a Linux utility that is used to check and compile SELinux (Security Enhanced Linux) security policy configurations into a binary representation. This binary representation can then be loaded into the kernel if required at some stage.
Table of Contents
- Installation of checkpolicy in Linux
- Syntax for checkpolicy Command in Linux
- Different Options Available for checkpolicy Command
- Examples of checkpolicy Command in Linux
Installation of checkpolicy in Linux
You may not find the checkpolicy package pre-installed on most Linux distributions. However, you can easily install the checkpolicy package on your system depending on your Linux package manager.
For Debian-based distributions like Ubuntu, Kali Linux and other such distributions, the apt package manager can be used for the installation of checkpolicy. Simply use the command provided below to install checkpolicy package on your system −
sudo apt install checkpolicy
If you are using Red Hat distributions like, CentOS and Fedora, you can install checkpolicy package from the yum package manager using the following command −
sudo yum install checkpolicy
On Arch Linux, you can use the pacman package manager to install checkpolicy package on your system −
sudo pacman -S checkpolicy
Once, you are done with the installation, use the below-given command to confirm checkpolicy is installed on Linux −
checkpolicy --version
Syntax for checkpolicy Command in Linux
The command syntax to use the checkpolicy command on Linux is given below −
checkpolicy [-b[F]] [-C] [-d] [-M] [-c policyvers] [-U handle_unknown (allow,deny,reject)] [-o output_file|-] [-S] [-O] [-E] [-t target_platform (selinux,xen)] [-V] [input_file]
Different Options Available for checkpolicy Command
The following options provided in table can be used with the checkpolicy command on Linux −
| Option | Description |
|---|---|
| -b or --binary | Reads an existing binary policy file instead of a source policy.conf file. |
| -C or --cil | Writes a CIL (Common Intermediate Language) policy file instead of a binary policy file. |
| -d or --debug | Enters debug mode after loading the policy. |
| -c policyvers | Specifies the policy version. Takes the default version as the latest. |
| -M or --mls | Enables the MLS (Multi-Level Security) policy when compiling and checking the policy. |
| -o or --output filename | Writes a binary policy file to the desired filename. If you use -, it writes to standard output. |
| -U or --handle-unknown <action> | Specifies how the kernel handles the unknown permissions or classes (deny, allow, or reject). |
| -V or --version | Shows version information. |
| -h or --help | Displays usage information. |
Examples of checkpolicy Command in Linux
Let’s explore different examples of checkpolicy command on Linux −
- Check and Generate Binary Policy File
- Enable Multi-Level Security and Compile
- Specify Custom Policy Version
- Target a Specific Platform
- Handle Unknown Classes or Permissions
- Enter Debug Mode
- Write a CIL Policy File
Check and Generate Binary Policy File
One of the basic functions of checkpolicy command on Linux is to check and generate binary policy files. It can be done by adding -b option with the checkpolicy command. For example, to check a source policy file called policy.conf and generate a binary policy file my_policy.bin, use −
checkpolicy -b -o my_policy.bin policy.conf
Enable Multi-Level Security (MLS) and Compile
To enable Multi-Level Security (MLS) and compile a policy, use the -M flag with the checkpolicy command. For example −
checkpolicy -M -o mls_policy.bin policy.conf
Specify Custom Policy Version
You can specify a custom policy version that is version 2.0 using the -c option with the checkpolicy command. For instance −
checkpolicy -c 2.0 -o custom_policy.bin policy.conf
Target a Specific Platform
To compile for a specific platform, for example Xen, you can use the -t option with checkpolicy. For example −
checkpolicy -t xen -o xen_policy.bin policy.conf
Handle Unknown Classes or Permissions
You can also control how the kernel handles unknown classes or permissions with checkpolicy by using the -U option. For example, to allow unknown elements, you can use −
checkpolicy -U allow -o unknown_policy.bin policy.conf
Enter Debug Mode
If you want to enter debug mode after loading the policy, you can simply use the -d option with the checkpolicy command. For example −
checkpolicy -d -o debug_policy.bin policy.conf
Write a CIL Policy File
To create a Common Intermediate Language (CIL) policy file, you can use the -C option, for instance −
checkpolicy -C -o cil_policy.cil policy.conf
That’s how you can use the checkpolicy command on your Linux system.
Conclusion
checkpolicy is a vital tool for managing SELinux policies on your Linux system. This tutorial has covered the syntax of checkpolicy command along with different options and some practical examples for beginners.
By following these examples and adapting them to your specific policy files, you will be well-equipped to compile base policy modules or create custom policies effectively.