diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md
index 586fb3a..bc9f1cc 100644
--- a/salt/qubes-builder/README.md
+++ b/salt/qubes-builder/README.md
@@ -49,10 +49,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
 
 The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
 Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
-`qusal.GitPush`, `qusal.SshAgent`.
-
-Out of these services, if an argument `+qubes-builder` can be specified to
-limit the scope, the action is `allowed`, else the action is to `ask`.
+`qusal.GitPush`, `qusal.SshAgent`. Necessary services are allowed to have an
+unattended build.
 
 ## Usage
 
diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy
index 5953898..a5ff04f 100644
--- a/salt/qubes-builder/files/admin/policy/default.policy
+++ b/salt/qubes-builder/files/admin/policy/default.policy
@@ -5,11 +5,11 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp default_target=sys-pgp
+qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
 
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
 qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
-qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-pgp
+qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-git
 
 qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
 qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny