diff --git a/passwordless-root/polkit-1-qubes-allow-all.rules b/passwordless-root/polkit-1-qubes-allow-all.rules
index 723d6d6..a83c827 100644
--- a/passwordless-root/polkit-1-qubes-allow-all.rules
+++ b/passwordless-root/polkit-1-qubes-allow-all.rules
@@ -1,2 +1,2 @@
 //allow any action, detailed reasoning in sudoers.d/qubes
-polkit.addRule(function(action,subject) { return polkit.Result.YES; });
+polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });
diff --git a/passwordless-root/qubes.sudoers b/passwordless-root/qubes.sudoers
index 5c3229f..cf185eb 100644
--- a/passwordless-root/qubes.sudoers
+++ b/passwordless-root/qubes.sudoers
@@ -1,4 +1,4 @@
-Defaults !requiretty
+Defaults role=unconfined_r, type=unconfined_t, !requiretty
 %qubes ALL=(ALL) NOPASSWD: ALL
 
 # WTF?! Have you lost your mind?!