secpolcompile

Compile the security policy

Syntax:

secpolcompile [-m] [-o compiled policy] [input file name]

Runs on:

Host

Options:

-m
When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
-o compiled policy
Output file name. Without this option, the input is checked for validity but no binary policy is written.
input file name
The name of the security policy file (a text file) that will be compiled into a binary file with input file name. The input file must contain plain text and be written with valid security policy grammar. You can list more than one input file as the source of rules for a compiled policy and the text from these files will be concatenated before it is compiled into a policy. There is no default, and it makes no difference what the file extension is.

Description:

Use the secpolcompile utility to compile the security policy text file. This utility is not a target-based utility and must be run from the host.

Warning: Integrate security policy changes for mandatory access control (MAC) iteratively, and do not deploy them to a production system until you have tested them out. A misconfigured policy could result in loss of system access.

See the Security Developers Guide for more information about:

Example:

To compile an immutable security policy and override the default file names:

secpolcompile -o mysecpol.bin  mysecpol.txt
            

The following example shows how to indicate iteration when compiling the security policy mysecpol.txt:

secpolcompile -m -o mysecpol.bin  mysecpol.txt