Compile the security policy
Syntax:
secpolcompile [-m] [-o compiled policy] [-p policy_id] [input file name]
Options:
- -m
- When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
- -o compiled policy
- Output file name. Without this option, the input is checked for validity but
no binary policy is written.
- -p
policy_id
- Use the specified policy ID instead of the one
secpolcompile generates automatically.
Whenever you
change the security policy, secpolcompile
automatically changes the policy's ID. This option allows you to specify
a particular policy ID instead, if needed. For example, to load a policy
without it appearing that one is loaded, specify 0 for
policy_id.
- input file name
- The name of the security policy file (a text file) that will be compiled
into a binary file with input file name. The input file
must contain plain text and be written with valid security policy grammar.
You can list more than one input file as the source of rules for a compiled
policy and the text from these files will be concatenated before it is
compiled into a policy. There is no default, and it makes no difference what
the file extension is.
Description:
Use the secpolcompile utility to compile the security policy text
file. This utility is not a target-based utility and must be run from the host.
Warning: Integrate security policy changes iteratively, and do not deploy
them to a production system until you have tested them out. A misconfigured policy
could result in loss of system access.
See Security Policies in the System Security Guide
for more information about:
- how to design a security policy and automate its creation using
secpolgenerate
- the grammar that is used in the uncompiled, text version of the security policy
file (generated or manual)
- how to manage a compiled security policy with the secpol
utility and push it to the microkernel
- best practices for security integration
License checking
The secpolcompile utility checks for a valid QNX license key before performing
any operation. If the license check fails, the utility stops running and displays a
diagnostic message. A license check may fail if the license key is expired, missing, or not
currently activated, or if the key doesn’t contain the permissions needed to run the
utility.
Example:
To compile an immutable security policy and override the default file names:
secpolcompile -o mysecpol.bin mysecpol.txt
The following example shows how to indicate iteration when compiling the security
policy mysecpol.txt:
secpolcompile -m -o mysecpol.bin mysecpol.txt