If you’re familiar with a programming language, such as C, you’ll find that working with an SELinux policy resembles working with a program. Programs generally have two forms: a source form and an object form. Programmers work with the source form of a program, which resides in one or more ordinary text files. These files can be created and changed using a text editor or interactive development environment (IDE). However, you can’t load and run the source form of a program. Instead, you must use a compiler to translate the source form into object form. The file that contains the object form of a program is a binary file that cannot be viewed or changed using a text editor. Figure 5-1 shows the process that transforms a program from source to object form.

Figure 5-1. Transforming a program from source to object form

Figure 5-2 shows the process that transforms an SELinux policy from source to binary (object) form. The checkpolicy command is analogous to the compiler that converts a program from source to object form. Sometimes, therefore, the checkpolicy command is referred to as the SELinux policy compiler.

Unlike a typical compiler used to translate computer programs, the checkpolicy command can take input from only one source file. So, all SELinux policy source files are concatenated and written to the policy.conf file. The checkpolicy command reads ...