Compile the security policy
Syntax:
secpolcompile [-m] [-o compiled policy] [input file name]
Options:
- -m
- When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
- -o compiled policy
- Output file name. Without this option, the input is checked for validity but
no binary policy is written.
- input file name
- The name of the security policy file (a text file) that will be compiled
into a binary file with input file name. The input file
must contain plain text and be written with valid security policy grammar.
You can list more than one input file as the source of rules for a compiled
policy and the text from these files will be concatenated before it is
compiled into a policy. There is no default, and it makes no difference what
the file extension is.
Description:
Use the secpolcompile utility to compile the security policy text
file. This utility is not a target-based utility and must be run from the host.
Warning: Integrate security policy changes for mandatory access control
(MAC) iteratively, and do not deploy them to a production system until you have
tested them out. A misconfigured policy could result in loss of system
access.
See the Security Developers Guide for more information about:
- how to design a security policy
- the grammar that you can use in the text version of the security policy file
(uncompiled)
- how to manage a compiled security policy with the secpol
utility and push it to the microkernel
- best practices for security integration
- mandatory access control (MAC)
Example:
To compile an immutable security policy and override the default file names:
secpolcompile -o mysecpol.bin mysecpol.txt
The following example shows how to indicate iteration when compiling the security
policy mysecpol.txt:
secpolcompile -m -o mysecpol.bin mysecpol.txt