secpolcompile
Compile the security policy
Syntax:
secpolcompile [-m] [-o compiled policy] [-p policy_id] [input file name]
Runs on:
Host
Options:
- -e
- Output a secpolgenerate event file instead of a binary policy file. For more information, see
State and event files
in the System Security Guide. - -m
- When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
- -o compiled policy
- Output file name. Without this option, the input is checked for validity but no binary policy is written.
- -p policy_id
- Use the specified policy ID instead of the one
secpolcompile generates automatically.
Whenever you change the security policy, secpolcompile automatically changes the policy's ID. This option allows you to specify a particular policy ID instead, if needed. For example, to load a policy without it appearing that one is loaded, specify 0 for policy_id.
- input file name
- The name of the security policy file (a text file) that will be compiled into a binary file with input file name. The input file must contain plain text and be written with valid security policy grammar. You can list more than one input file as the source of rules for a compiled policy and the text from these files will be concatenated before it is compiled into a policy. There is no default, and it makes no difference what the file extension is.
Description:
Use the secpolcompile utility to compile the security policy text file. This utility is not a target-based utility and must be run from the host.
See Security Policies
in the System Security Guide
for more information about:
- how to design a security policy and automate its creation using secpolgenerate
- the grammar that is used in the uncompiled, text version of the security policy file (generated or manual)
- how to manage a compiled security policy with the secpol utility and push it to the microkernel
- best practices for security integration
License checking
The secpolcompile utility checks for a valid QNX license key before performing any operation. If the license check fails, the utility stops running and displays a diagnostic message. A license check may fail if the license key is expired, missing, or not currently activated, or if the key doesn’t contain the permissions needed to run the utility.
Example:
To compile an immutable security policy and override the default file names:
secpolcompile -o mysecpol.bin mysecpol.txt
The following example shows how to indicate iteration when compiling the security policy mysecpol.txt:
secpolcompile -m -o mysecpol.bin mysecpol.txt
Exit status:
- 0
- Successful completion.
- >0
- An error occurred.
- 129
- License not found.
- 130
- Product is not covered under your license.
- 131
- License expired.
- 132
- License not activated.
- 133
- Can't connect to the license server.