secpolcompile

Syntax:

secpolcompile [-m] [-o compiled policy] [-p policy_id] [input file name]

Runs on:

Host

Options:

-m: When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
-o compiled policy: Output file name. Without this option, the input is checked for validity but no binary policy is written.
-p policy_id: Use the specified policy ID instead of the one secpolcompile generates automatically.
Whenever you change the security policy, secpolcompile automatically changes the policy's ID. This option allows you to specify a particular policy ID instead, if needed. For example, to load a policy without it appearing that one is loaded, specify 0 for policy_id.
input file name: The name of the security policy file (a text file) that will be compiled into a binary file with input file name. The input file must contain plain text and be written with valid security policy grammar. You can list more than one input file as the source of rules for a compiled policy and the text from these files will be concatenated before it is compiled into a policy. There is no default, and it makes no difference what the file extension is.

Description:

Use the secpolcompile utility to compile the security policy text file. This utility is not a target-based utility and must be run from the host.

Warning: Integrate security policy changes iteratively, and do not deploy them to a production system until you have tested them out. A misconfigured policy could result in loss of system access.

See “Security Policies” in the System Security Guide for more information about:

how to design a security policy and automate its creation using secpolgenerate
the grammar that is used in the uncompiled, text version of the security policy file (generated or manual)
how to manage a compiled security policy with the secpol utility and push it to the microkernel
best practices for security integration

License checking

The secpolcompile utility checks for a valid QNX license key before performing any operation. If the license check fails, the utility stops running and displays a diagnostic message. A license check may fail if the license key is expired, missing, or not currently activated, or if the key doesn’t contain the permissions needed to run the utility.

Example:

To compile an immutable security policy and override the default file names:

secpolcompile -o mysecpol.bin  mysecpol.txt

The following example shows how to indicate iteration when compiling the security policy mysecpol.txt:

secpolcompile -m -o mysecpol.bin  mysecpol.txt