org.selinux.policy: Require auth_admin_keep for all actions.

Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2015-03-27 16:13:34 -04:00
parent 082f1d1274
commit 549912d229

View File

@ -40,7 +40,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.semodule_list">
@ -49,7 +49,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.relabel_on_boot">