Looking at neverallow rules, the semanage.conf file says "# expand-check check neverallow rules when executing all semanage commands. # Large penalty in time if you turn this on. " If I don't set expand-check=1, are the neverallow rules actually enforced? If so, when? An semodule -i of a policy module with neverallow rules that are violated by the existing binary policy succeeds without complaint unless expand-check=1 in RHEL 7.6. This is not what I expected. The time taken by a trivial module installation goes from ~.3 seconds to ~14 seconds, so the time hit for expand-check is pretty serious. We are trying to establish some policy invariants to protect against unexpected/unnoticed RHEL upstream policy changes, some of which have bitten us recently. Any suggestions are welcome. joe
