checkpolicy [-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]


This manual page describes the checkpolicy command.

checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b flag is specified.



Read an existing binary policy file rather than a source policy.conf file.


Enter debug mode after loading the policy.


Enable the MLS policy when checking and compiling the policy.

-o,--output filename

Write a binary policy file to the specified filename.

-c policyvers

Specify the policy version, defaults to the latest.


Specify the target platform (selinux or xen).

-U,--handle-unknown <action>

Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).


Show version information.


Show usage information.

RELATED TO checkpolicy…

SELinux documentation at, especially "Configuring the SELinux Policy".


This manual page was written by Arpad Magosanyi <[email protected]>, and edited by Stephen Smalley <[email protected]>. The program was written by Stephen Smalley <[email protected]>.