[Help] how to compile te with checkpolicy.

[Help] how to compile te with checkpolicy.

[BOBx]

Hi all,

These days I tried to compile te with tools named checkpolicy. I have 
searched the process with google and chatgpt, and I followed the steps 
they told me but I failed.

The following is my te file,  cmd and response and other infomation.

My te file(my_policy.te):
----------------------------------------------
policy_module(my_mypolicy, 1.0)

# Define types
type my_type_t;
type my_type_exec_t, file_type;

# Allow rules
allow my_type_t my_type_exec_t:file execute;
----------------------------------------------

The command:
----------------------------------------------
sudo checkpolicy -M -o my_policy.pp my_policy.te
----------------------------------------------

The response  from command:
----------------------------------------------
my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:


checkpolicy:  error(s) encountered while parsing configuration
----------------------------------------------

OS information: 6.11.0-29-generic, ubuntu 24.10.

Would you like help me to compile te with checkpolicy please? Or which 
URL should I read please?

Best regards

BOBx

Re: [Help] how to compile te with checkpolicy.

[Dominick Grift]

BOBx <kabc005009@163.com> writes:

> Hi all,
>
> These days I tried to compile te with tools named checkpolicy. I have
> searched the process with google and chatgpt, and I followed the steps
> they told me but I failed.

Hi,

checkpolicy is for monolithic policy. see below for modular policy:

>
> The following is my te file,  cmd and response and other infomation.
>
> My te file(my_policy.te):
> ----------------------------------------------

This is modular policy that should be compiled with checkmodule and then
packaged with semodule_package:

checkmodule -M -m my_policy.te -o my_policy.mod
semodule_package -o my_policy.pp -m my_policy.mod
semodule -i my_policy.pp

for more information see:

man checkpolicy
man checkmodule
man semodule_package
man semodule

> policy_module(my_mypolicy, 1.0)
>
> # Define types
> type my_type_t;
> type my_type_exec_t, file_type;
>
> # Allow rules
> allow my_type_t my_type_exec_t:file execute;
> ----------------------------------------------
>
> The command:
> ----------------------------------------------
> sudo checkpolicy -M -o my_policy.pp my_policy.te
> ----------------------------------------------
>
> The response  from command:
> ----------------------------------------------
> my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
>
>
> checkpolicy:  error(s) encountered while parsing configuration
> ----------------------------------------------
>
> OS information: 6.11.0-29-generic, ubuntu 24.10.
>
> Would you like help me to compile te with checkpolicy please? Or which
> URL should I read please?
>
> Best regards
>
> BOBx
>
>
>

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

Re: [Help] how to compile te with checkpolicy.

[Dominick Grift]

Dominick Grift <dominick.grift@defensec.nl> writes:

> BOBx <kabc005009@163.com> writes:
>
>> Hi all,
>>
>> These days I tried to compile te with tools named checkpolicy. I have
>> searched the process with google and chatgpt, and I followed the steps
>> they told me but I failed.
>
> Hi,
>
> checkpolicy is for monolithic policy. see below for modular policy:
>
>>
>> The following is my te file,  cmd and response and other infomation.
>>
>> My te file(my_policy.te):
>> ----------------------------------------------
>
> This is modular policy that should be compiled with checkmodule and then
> packaged with semodule_package:

Oops.
Actually I am wrong. This is reference policy.
I should be compiled with the reference policy makefile. I am not sure
what package provides this Makefile in ubuntu but probably package
selinux-policy-dev:

https://packages.ubuntu.com/questing/all/selinux-policy-dev/filelist

/usr/share/selinux/devel/Makefile

So this should work:

make -f /usr/share/selinux/devel/Makefile my_policy.pp

>
> checkmodule -M -m my_policy.te -o my_policy.mod
> semodule_package -o my_policy.pp -m my_policy.mod
> semodule -i my_policy.pp
>
> for more information see:
>
> man checkpolicy
> man checkmodule
> man semodule_package
> man semodule
>
>> policy_module(my_mypolicy, 1.0)
>>
>> # Define types
>> type my_type_t;
>> type my_type_exec_t, file_type;
>>
>> # Allow rules
>> allow my_type_t my_type_exec_t:file execute;
>> ----------------------------------------------
>>
>> The command:
>> ----------------------------------------------
>> sudo checkpolicy -M -o my_policy.pp my_policy.te
>> ----------------------------------------------
>>
>> The response  from command:
>> ----------------------------------------------
>> my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
>>
>>
>> checkpolicy:  error(s) encountered while parsing configuration
>> ----------------------------------------------
>>
>> OS information: 6.11.0-29-generic, ubuntu 24.10.
>>
>> Would you like help me to compile te with checkpolicy please? Or which
>> URL should I read please?
>>
>> Best regards
>>
>> BOBx
>>
>>
>>

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

Re: [Help] how to compile te with checkpolicy.

[Fei Shao]

On 18/08/2025 17:57, Dominick Grift wrote:
> Dominick Grift <dominick.grift@defensec.nl> writes:
>
>> BOBx <kabc005009@163.com> writes:
>>
>>> Hi all,
>>>
>>> These days I tried to compile te with tools named checkpolicy. I have
>>> searched the process with google and chatgpt, and I followed the steps
>>> they told me but I failed.
>> Hi,
>>
>> checkpolicy is for monolithic policy. see below for modular policy:
>>
>>> The following is my te file,  cmd and response and other infomation.
>>>
>>> My te file(my_policy.te):
>>> ----------------------------------------------
>> This is modular policy that should be compiled with checkmodule and then
>> packaged with semodule_package:
> Oops.
> Actually I am wrong. This is reference policy.
> I should be compiled with the reference policy makefile. I am not sure
> what package provides this Makefile in ubuntu but probably package
> selinux-policy-dev:
>
> https://packages.ubuntu.com/questing/all/selinux-policy-dev/filelist
>
> /usr/share/selinux/devel/Makefile
>
> So this should work:
>
> make -f /usr/share/selinux/devel/Makefile my_policy.pp
I use this command generate pp file well.

>> checkmodule -M -m my_policy.te -o my_policy.mod
This command doesn't work. The response is :
----------------------------------------------------
my_policy.te:1:ERROR 'Building a policy module, but no module 
specification found.
' at token 'policy_module' on line 1:


checkmodule:  error(s) encountered while parsing configuration
--------------------------------------------------
It seems the articles from search engine are not wrong.


>> semodule_package -o my_policy.pp -m my_policy.mod
>> semodule -i my_policy.pp
>>
>> for more information see:
>>
>> man checkpolicy
>> man checkmodule
>> man semodule_package
>> man semodule
>>
>>> policy_module(my_mypolicy, 1.0)
>>>
>>> # Define types
>>> type my_type_t;
>>> type my_type_exec_t, file_type;
>>>
>>> # Allow rules
>>> allow my_type_t my_type_exec_t:file execute;
>>> ----------------------------------------------
>>>
>>> The command:
>>> ----------------------------------------------
>>> sudo checkpolicy -M -o my_policy.pp my_policy.te
>>> ----------------------------------------------
>>>
>>> The response  from command:
>>> ----------------------------------------------
>>> my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
>>>
>>>
>>> checkpolicy:  error(s) encountered while parsing configuration
>>> ----------------------------------------------
>>>
>>> OS information: 6.11.0-29-generic, ubuntu 24.10.
>>>
>>> Would you like help me to compile te with checkpolicy please? Or which
>>> URL should I read please?
>>>
>>> Best regards
>>>
>>> BOBx
>>>
>>>
>>>

Re: [Help] how to compile te with checkpolicy.

[Dominick Grift]

Fei Shao <kabc005009@163.com> writes:

> On 18/08/2025 17:57, Dominick Grift wrote:
>> Dominick Grift <dominick.grift@defensec.nl> writes:
>>
>>> BOBx <kabc005009@163.com> writes:
>>>
>>>> Hi all,
>>>>
>>>> These days I tried to compile te with tools named checkpolicy. I have
>>>> searched the process with google and chatgpt, and I followed the steps
>>>> they told me but I failed.
>>> Hi,
>>>
>>> checkpolicy is for monolithic policy. see below for modular policy:
>>>
>>>> The following is my te file,  cmd and response and other infomation.
>>>>
>>>> My te file(my_policy.te):
>>>> ----------------------------------------------
>>> This is modular policy that should be compiled with checkmodule and then
>>> packaged with semodule_package:
>> Oops.
>> Actually I am wrong. This is reference policy.
>> I should be compiled with the reference policy makefile. I am not sure
>> what package provides this Makefile in ubuntu but probably package
>> selinux-policy-dev:
>>
>> https://packages.ubuntu.com/questing/all/selinux-policy-dev/filelist
>>
>> /usr/share/selinux/devel/Makefile
>>
>> So this should work:
>>
>> make -f /usr/share/selinux/devel/Makefile my_policy.pp
> I use this command generate pp file well.
>
>>> checkmodule -M -m my_policy.te -o my_policy.mod
> This command doesn't work. The response is :
> ----------------------------------------------------
> my_policy.te:1:ERROR 'Building a policy module, but no module
> specification found.
> ' at token 'policy_module' on line 1:

Yes the policy_module() macro is reference policy specific and
checkmodule does not understand reference policy.

For reference policy use the reference policy Makefile.

>
>
> checkmodule:  error(s) encountered while parsing configuration
> --------------------------------------------------
> It seems the articles from search engine are not wrong.
>
>
>>> semodule_package -o my_policy.pp -m my_policy.mod
>>> semodule -i my_policy.pp
>>>
>>> for more information see:
>>>
>>> man checkpolicy
>>> man checkmodule
>>> man semodule_package
>>> man semodule
>>>
>>>> policy_module(my_mypolicy, 1.0)
>>>>
>>>> # Define types
>>>> type my_type_t;
>>>> type my_type_exec_t, file_type;
>>>>
>>>> # Allow rules
>>>> allow my_type_t my_type_exec_t:file execute;
>>>> ----------------------------------------------
>>>>
>>>> The command:
>>>> ----------------------------------------------
>>>> sudo checkpolicy -M -o my_policy.pp my_policy.te
>>>> ----------------------------------------------
>>>>
>>>> The response  from command:
>>>> ----------------------------------------------
>>>> my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
>>>>
>>>>
>>>> checkpolicy:  error(s) encountered while parsing configuration
>>>> ----------------------------------------------
>>>>
>>>> OS information: 6.11.0-29-generic, ubuntu 24.10.
>>>>
>>>> Would you like help me to compile te with checkpolicy please? Or which
>>>> URL should I read please?
>>>>
>>>> Best regards
>>>>
>>>> BOBx
>>>>
>>>>
>>>>
>

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

Re: [Help] how to compile te with checkpolicy.

[BOB x]

在 2025-08-18 18:43, Dominick Grift 写道:
> BOBx <kabc005009@163.com> writes:
>
>> On 18/08/2025 17:57, Dominick Grift wrote:
>>> Dominick Grift <dominick.grift@defensec.nl> writes:
>>>
>>>> BOBx <kabc005009@163.com> writes:
>>>>
>>>>> Hi all,
>>>>>
>>>>> These days I tried to compile te with tools named checkpolicy. I have
>>>>> searched the process with google and chatgpt, and I followed the steps
>>>>> they told me but I failed.
>>>> Hi,
>>>>
>>>> checkpolicy is for monolithic policy. see below for modular policy:
>>>>
>>>>> The following is my te file,  cmd and response and other infomation.
>>>>>
>>>>> My te file(my_policy.te):
>>>>> ----------------------------------------------
>>>> This is modular policy that should be compiled with checkmodule and then
>>>> packaged with semodule_package:
>>> Oops.
>>> Actually I am wrong. This is reference policy.
>>> I should be compiled with the reference policy makefile. I am not sure
>>> what package provides this Makefile in ubuntu but probably package
>>> selinux-policy-dev:
>>>
>>> https://packages.ubuntu.com/questing/all/selinux-policy-dev/filelist
>>>
>>> /usr/share/selinux/devel/Makefile
>>>
>>> So this should work:
>>>
>>> make -f /usr/share/selinux/devel/Makefile my_policy.pp
>> I use this command generate pp file well.
>>
>>>> checkmodule -M -m my_policy.te -o my_policy.mod
>> This command doesn't work. The response is :
>> ----------------------------------------------------
>> my_policy.te:1:ERROR 'Building a policy module, but no module
>> specification found.
>> ' at token 'policy_module' on line 1:
> Yes the policy_module() macro is reference policy specific and
> checkmodule does not understand reference policy.
>
> For reference policy use the reference policy Makefile.
Got it。Thanks。
>>
>> checkmodule:  error(s) encountered while parsing configuration
>> --------------------------------------------------
>> It seems the articles from search engine are not wrong.
>>
>>
>>>> semodule_package -o my_policy.pp -m my_policy.mod
>>>> semodule -i my_policy.pp
>>>>
>>>> for more information see:
>>>>
>>>> man checkpolicy
>>>> man checkmodule
>>>> man semodule_package
>>>> man semodule
>>>>
>>>>> policy_module(my_mypolicy, 1.0)
>>>>>
>>>>> # Define types
>>>>> type my_type_t;
>>>>> type my_type_exec_t, file_type;
>>>>>
>>>>> # Allow rules
>>>>> allow my_type_t my_type_exec_t:file execute;
>>>>> ----------------------------------------------
>>>>>
>>>>> The command:
>>>>> ----------------------------------------------
>>>>> sudo checkpolicy -M -o my_policy.pp my_policy.te
>>>>> ----------------------------------------------
>>>>>
>>>>> The response  from command:
>>>>> ----------------------------------------------
>>>>> my_policy.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
>>>>>
>>>>>
>>>>> checkpolicy:  error(s) encountered while parsing configuration
>>>>> ----------------------------------------------
>>>>>
>>>>> OS information: 6.11.0-29-generic, ubuntu 24.10.
>>>>>
>>>>> Would you like help me to compile te with checkpolicy please? Or which
>>>>> URL should I read please?
>>>>>
>>>>> Best regards
>>>>>
>>>>> BOBx
>>>>>
>>>>>
>>>>>