Stephen Smalley wrote:
Fedora permits obtaining local policy customizations and the list of policy modules without admin authentication, but we would prefer more conservative defaults upstream.
+1
Signed-off-by: Stephen Smalley<sds@xxxxxxxxxxxxx> --- policycoreutils/sepolicy/org.selinux.policy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy index 44ae625..0126610 100644 --- a/policycoreutils/sepolicy/org.selinux.policy +++ b/policycoreutils/sepolicy/org.selinux.policy @@ -40,7 +40,7 @@ <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> - <allow_active>yes</allow_active> + <allow_active>auth_admin_keep</allow_active> </defaults> </action> <action id="org.selinux.semodule_list"> @@ -49,7 +49,7 @@ <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> - <allow_active>yes</allow_active> + <allow_active>auth_admin_keep</allow_active> </defaults> </action> <action id="org.selinux.relabel_on_boot">
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.