Re: [PATCH] org.selinux.policy: Require auth_admin_keep for all actions.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen Smalley wrote:

Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.


+1



Signed-off-by: Stephen Smalley<sds@xxxxxxxxxxxxx>
---
  policycoreutils/sepolicy/org.selinux.policy | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
index 44ae625..0126610 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
@@ -40,7 +40,7 @@
          <defaults>
            <allow_any>no</allow_any>
            <allow_inactive>no</allow_inactive>
-	<allow_active>yes</allow_active>
+	<allow_active>auth_admin_keep</allow_active>
          </defaults>
      </action>
      <action id="org.selinux.semodule_list">
@@ -49,7 +49,7 @@
          <defaults>
            <allow_any>no</allow_any>
            <allow_inactive>no</allow_inactive>
-	<allow_active>yes</allow_active>
+	<allow_active>auth_admin_keep</allow_active>
          </defaults>
      </action>
      <action id="org.selinux.relabel_on_boot">


_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux