[PATCH] org.selinux.policy: Require auth_admin_keep for all actions.

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 16 Apr 2015 09:41:33 -0400

Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
 policycoreutils/sepolicy/org.selinux.policy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
index 44ae625..0126610 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
@@ -40,7 +40,7 @@
         <defaults>
           <allow_any>no</allow_any>
           <allow_inactive>no</allow_inactive>
-	  <allow_active>yes</allow_active>
+	  <allow_active>auth_admin_keep</allow_active>
         </defaults>
     </action>
     <action id="org.selinux.semodule_list">
@@ -49,7 +49,7 @@
         <defaults>
           <allow_any>no</allow_any>
           <allow_inactive>no</allow_inactive>
-	  <allow_active>yes</allow_active>
+	  <allow_active>auth_admin_keep</allow_active>
         </defaults>
     </action>
     <action id="org.selinux.relabel_on_boot">
-- 
2.1.0

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.







