checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from policy.conf or policy, depending on whether the -b flag is specified.
-b,--binary Read an existing binary policy file rather than a source policy.conf file.
-F,--conf Write policy.conf file rather than binary policy file. Can only be used with binary policy file.
-C,--cil Write CIL policy file rather than binary policy file.
-d,--debug Enter debug mode after loading the policy.
-U,--handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
-M,--mls Enable the MLS policy when checking and compiling the policy.
-c policyvers Specify the policy version, defaults to the latest.
-o,--output filename Write a policy file (binary, policy.conf, or CIL policy) to the specified filename. If - is given as filename, write it to standard output.
-S,--sort Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
-t,--target Specify the target platform (selinux or xen).
-O,--optimize Optimize the final kernel policy (remove redundant rules).
-E,--werror Treat warnings as errors
-V,--version Show version information.
-h,--help Show usage information.