On 3/31/2023 1:34 PM, Christian Göttsche wrote:
Add the command line argument `-N/--disable-neverallow`, similar to secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of neverallow rule violations. This is mainly useful in development, e.g. to quickly add rules to a policy without fulfilling all neverallow rules or build policies with known violations.
I think it might be helpful to print a quick warning along the lines of "Warning: neverallow checking is disabled, compiled policy may violate neverallow rules" or similar when the flag is set, just to double-check against accidental misuse.
-Daniel
