checkmodule — SELinux policy module compiler


checkmodule [-h] [-b] [-C] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]


This manual page describes the checkmodule command.

checkmodule is a program that checks and compiles a SELinux security policy module into a binary representation.  It can generate either a base policy module (default) or a non-base policy module (-m option); typically, you would build a non-base policy module to add to an existing module store that already has a base module provided by the base policy.  Use semodule_package to combine this module with its optional file contexts to create a policy package, and then use semodule to install the module package into the module store and load the resulting policy.



Read an existing binary policy module file rather than a source policy module file.  This option is a development/debugging aid.


Write CIL policy file rather than binary policy file.


Print usage.


Generate a non-base policy module.


Enable the MLS/MCS support when checking and compiling the policy module.


Show policy versions created by this program.

-o,--output filename

Write a binary policy module file to the specified filename. Otherwise, checkmodule will only check the syntax of the module source file and will not generate a binary module at all.

-U,--handle-unknown <action>

Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).

-c policyvers

Specify the policy version, defaults to the latest.


# Build a MLS/MCS-enabled non-base policy module.
$ checkmodule -M -m httpd.te -o httpd.mod

See Also

semodule(8), semodule_package(8) SELinux documentation at, especially "Configuring the SELinux Policy".


This manual page was copied from the checkpolicy man page  written by Arpad Magosanyi <>,  and edited by Dan Walsh <>. The program was written by Stephen Smalley <>.

Referenced By

semodule(8), semodule_expand(8), semodule_link(8), semodule_package(8).