If you’re familiar with a programming language, such as C, you’ll find that working with an SELinux policy resembles working with a program. Programs generally have two forms: a source form and an object form. Programmers work with the source form of a program, which resides in one or more ordinary text files. These files can be created and changed using a text editor or interactive development environment (IDE). However, you can’t load and run the source form of a program. Instead, you must use a compiler to translate the source form into object form. The file that contains the object form of a program is a binary file that cannot be viewed or changed using a text editor. Figure 5-1 shows the process that transforms a program from source to object form.
Figure 5-1. Transforming a program from source to object form
Figure 5-2 shows the process that transforms an SELinux policy from source to binary (object) form. The checkpolicy command is analogous to the compiler that converts a program from source to object form. Sometimes, therefore, the checkpolicy command is referred to as the SELinux policy compiler.
Unlike a typical compiler used to translate computer programs, the
checkpolicy command can take input from only one
source file. So, all SELinux policy source files are concatenated and
written to the
policy.conf file. The
checkpolicy command reads ...