From 65badde82e0c77875a23f084cf3251c052e042e2 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 5 Sep 2025 19:28:47 +0100
Subject: [PATCH 1/2] machine: restrict register-machine action again

Follow-up for adaff8eb35d9c471af81fddaa4403bc5843a256f
---
 src/machine/org.freedesktop.machine1.policy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy
index d5b8d83d2aa..bba3da906ad 100644
--- a/src/machine/org.freedesktop.machine1.policy
+++ b/src/machine/org.freedesktop.machine1.policy
@@ -108,7 +108,7 @@
                 <defaults>
                         <allow_any>auth_admin</allow_any>
                         <allow_inactive>auth_admin</allow_inactive>
-                        <allow_active>yes</allow_active>
+                        <allow_active>auth_admin_keep</allow_active>
                 </defaults>
         </action>
 

From 2b3c02380cd736d1c2ac5ff2b025dd4a543bd469 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 5 Sep 2025 19:31:59 +0100
Subject: [PATCH 2/2] NEWS: update register-machine paragraph

---
 NEWS | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 543baf5dbff..fcf97e5ea90 100644
--- a/NEWS
+++ b/NEWS
@@ -934,9 +934,7 @@ CHANGES WITH 258 in spe:
         * A new "org.freedesktop.machine1.register-machine" polkit action is
           used when checking for privileges to register a machine. Previously,
           "org.freedesktop.machine1.create-machine" was used for creation and
-          registration operations. The policy for the new action is more
-          permissive: active users are allowed to perform the action without
-          authentication.
+          registration operations.
 
         * systemd-machined now also tracks the "supervisor" process of a
           machine, i.e. the host process that manages the payload. This