On Fri, Mar 31, 2023 at 1:59 PM Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx> wrote: > > On 3/31/2023 1:34 PM, Christian Göttsche wrote: > > Add the command line argument `-N/--disable-neverallow`, similar to > > secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of > > neverallow rule violations. > > > > This is mainly useful in development, e.g. to quickly add rules to a > > policy without fulfilling all neverallow rules or build policies with > > known violations. > > I think it might be helpful to print a quick warning along the lines of > "Warning: neverallow checking is disabled, compiled policy may violate > neverallow rules" or similar when the flag is set, just to double-check > against accidental misuse. > > -Daniel > I am ok without a warning. secilc doesn't warn when disabling neverallows. Jim
