* [PATCH] org.selinux.policy: Require auth_admin_keep for all actions.
@ 2015-04-16 13:41 Stephen Smalley
2015-04-16 14:00 ` Joshua Brindle
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2015-04-16 13:41 UTC (permalink / raw)
To: selinux; +Cc: Stephen Smalley
Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
policycoreutils/sepolicy/org.selinux.policy | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
index 44ae625..0126610 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
@@ -40,7 +40,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
- <allow_active>yes</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.semodule_list">
@@ -49,7 +49,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
- <allow_active>yes</allow_active>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.relabel_on_boot">
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] org.selinux.policy: Require auth_admin_keep for all actions.
2015-04-16 13:41 [PATCH] org.selinux.policy: Require auth_admin_keep for all actions Stephen Smalley
@ 2015-04-16 14:00 ` Joshua Brindle
0 siblings, 0 replies; 2+ messages in thread
From: Joshua Brindle @ 2015-04-16 14:00 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
Stephen Smalley wrote:
> Fedora permits obtaining local policy customizations and the list
> of policy modules without admin authentication, but we would prefer
> more conservative defaults upstream.
+1
>
> Signed-off-by: Stephen Smalley<sds@tycho.nsa.gov>
> ---
> policycoreutils/sepolicy/org.selinux.policy | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
> index 44ae625..0126610 100644
> --- a/policycoreutils/sepolicy/org.selinux.policy
> +++ b/policycoreutils/sepolicy/org.selinux.policy
> @@ -40,7 +40,7 @@
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> - <allow_active>yes</allow_active>
> + <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
> <action id="org.selinux.semodule_list">
> @@ -49,7 +49,7 @@
> <defaults>
> <allow_any>no</allow_any>
> <allow_inactive>no</allow_inactive>
> - <allow_active>yes</allow_active>
> + <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
> <action id="org.selinux.relabel_on_boot">
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-04-16 14:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-16 13:41 [PATCH] org.selinux.policy: Require auth_admin_keep for all actions Stephen Smalley
2015-04-16 14:00 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.