secpolcompile

QNX SDP8.0Utilities ReferenceUtilities

Compile the security policy

Syntax:

secpolcompile [-m] [-o compiled policy] [-p policy_id] [input file name]

Runs on:

Host

Options:

-e
Output a secpolgenerate event file instead of a binary policy file. For more information, see State and event files in the System Security Guide.
-m
When you use this option, the compiled policy is mutable, which means it can be pushed to the microkernel multiple times. If this mutable option is not specified, the policy is immutable and once pushed, cannot be changed. You always want to use immutable policies for systems that are intended to be secure.
-o compiled policy
Output file name. Without this option, the input is checked for validity but no binary policy is written.
-p policy_id
Use the specified policy ID instead of the one secpolcompile generates automatically.

Whenever you change the security policy, secpolcompile automatically changes the policy's ID. This option allows you to specify a particular policy ID instead, if needed. For example, to load a policy without it appearing that one is loaded, specify 0 for policy_id.

input file name
The name of the security policy file (a text file) that will be compiled into a binary file with input file name. The input file must contain plain text and be written with valid security policy grammar. You can list more than one input file as the source of rules for a compiled policy and the text from these files will be concatenated before it is compiled into a policy. There is no default, and it makes no difference what the file extension is.

Description:

Use the secpolcompile utility to compile the security policy text file. This utility is not a target-based utility and must be run from the host.

Warning:
Integrate security policy changes iteratively, and do not deploy them to a production system until you have tested them out. A misconfigured policy could result in loss of system access.

See Security Policies in the System Security Guide for more information about:

  • how to design a security policy and automate its creation using secpolgenerate
  • the grammar that is used in the uncompiled, text version of the security policy file (generated or manual)
  • how to manage a compiled security policy with the secpol utility and push it to the microkernel
  • best practices for security integration

License checking

The secpolcompile utility checks for a valid QNX license key before performing any operation. If the license check fails, the utility stops running and displays a diagnostic message. A license check may fail if the license key is expired, missing, or not currently activated, or if the key doesn’t contain the permissions needed to run the utility.

Example:

To compile an immutable security policy and override the default file names:

secpolcompile -o mysecpol.bin  mysecpol.txt

The following example shows how to indicate iteration when compiling the security policy mysecpol.txt:

secpolcompile -m -o mysecpol.bin  mysecpol.txt

Exit status:

0
Successful completion.
>0
An error occurred.
129
License not found.
130
Product is not covered under your license.
131
License expired.
132
License not activated.
133
Can't connect to the license server.
Page updated: