#
# The restrictive profile is for use in an environment where
# security is a major concern or hosts are centrally administered and users
# should have minimal privileges. Many operations require authentication
# as admin.
#
# Please do not modify this file, use a local copy of
#     /usr/etc/polkit-default-privs/local.template
# in
#     /etc/polkit-default-privs/local
# instead.

# NetworkManager
org.freedesktop.NetworkManager.enable-disable-network           no:no:auth_admin
org.freedesktop.NetworkManager.enable-disable-wifi              no:no:auth_admin
org.freedesktop.NetworkManager.enable-disable-wwan              no:no:auth_admin
# auth_admin probably causes issues with suspend here? (bsc#716291)
org.freedesktop.NetworkManager.network-control                  no:no:auth_admin
org.freedesktop.NetworkManager.sleep-wake                       no
# bsc#680140
org.freedesktop.NetworkManager.enable-disable-wimax             no:no:auth_admin
org.freedesktop.NetworkManager.wifi.share.protected             no:no:auth_admin
org.freedesktop.NetworkManager.wifi.share.open                  no:no:auth_admin
org.freedesktop.NetworkManager.settings.modify.own              auth_admin_keep
org.freedesktop.NetworkManager.settings.modify.system           auth_admin_keep
org.freedesktop.NetworkManager.settings.modify.hostname         auth_admin
# bsc#996110
org.freedesktop.NetworkManager.enable-disable-statistics        no:no:auth_admin_keep
# bsc#1072702
org.freedesktop.NetworkManager.enable-disable-connectivity-check no:no:auth_admin_keep
# bsc#1077504
org.freedesktop.NetworkManager.checkpoint-rollback              auth_admin_keep:auth_admin_keep:auth_admin_keep
org.freedesktop.NetworkManager.reload                           auth_admin_keep:auth_admin_keep:auth_admin_keep
org.freedesktop.NetworkManager.settings.modify.global-dns       auth_admin_keep:auth_admin_keep:auth_admin_keep
# bsc#1122262, bsc#1128560 (renamed from previously wifi-scan)
org.freedesktop.NetworkManager.wifi.scan                        auth_admin:auth_admin_keep:yes

# gnome-settings-daemon (bsc#750795)
org.gnome.settings-daemon.plugins.wacom.wacom-led-helper        no:no:auth_admin
# bsc#822405
org.gnome.settings-daemon.plugins.wacom.wacom-oled-helper       no:no:auth_admin

# colord (bsc#698250, bsc#887511, bsc#918594)
org.freedesktop.color-manager.create-device                     no:no:yes
org.freedesktop.color-manager.create-profile                    no:no:yes
org.freedesktop.color-manager.delete-device                     no:no:yes
org.freedesktop.color-manager.delete-profile                    no:no:yes
org.freedesktop.color-manager.modify-device                     auth_admin
org.freedesktop.color-manager.modify-profile                    auth_admin
org.freedesktop.color-manager.install-system-wide               auth_admin
org.freedesktop.color-manager.device-inhibit                    auth_admin
org.freedesktop.color-manager.sensor-lock                       auth_admin

# PackageKit
org.freedesktop.packagekit.package-install                      auth_admin_keep
org.freedesktop.packagekit.package-install-untrusted            auth_admin
org.freedesktop.packagekit.system-trust-signing-key             auth_admin
org.freedesktop.packagekit.package-eula-accept                  auth_admin_keep
org.freedesktop.packagekit.package-remove                       auth_admin_keep
org.freedesktop.packagekit.system-update                        auth_admin_keep
org.freedesktop.packagekit.system-sources-configure             auth_admin_keep
org.freedesktop.packagekit.system-sources-refresh               no:no:yes
org.freedesktop.packagekit.system-network-proxy-configure       auth_admin_keep
org.freedesktop.packagekit.cancel-foreign                       auth_admin:auth_admin:auth_admin_keep
org.freedesktop.packagekit.upgrade-system                       auth_admin
org.freedesktop.packagekit.repair-system                        auth_admin
# PackageKit / systemd offline updates (bsc#798885)
# same as org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.trigger-offline-update               auth_admin_keep
org.freedesktop.packagekit.clear-offline-update                 auth_admin_keep
# PackageKit (bsc#929212)
org.freedesktop.packagekit.package-reinstall                    auth_admin:auth_admin:auth_admin_keep
org.freedesktop.packagekit.package-downgrade                    auth_admin:auth_admin:auth_admin_keep
# PackageKit (bsc#993505)
org.freedesktop.packagekit.trigger-offline-upgrade              no:auth_admin:auth_admin

# system-config-printer
org.opensuse.cupspkhelper.mechanism.printer-set-default         auth_admin_keep
org.opensuse.cupspkhelper.mechanism.printer-enable              auth_admin_keep
org.opensuse.cupspkhelper.mechanism.printer-local-edit          auth_admin_keep
org.opensuse.cupspkhelper.mechanism.printer-remote-edit         auth_admin_keep
org.opensuse.cupspkhelper.mechanism.class-edit                  auth_admin_keep
org.opensuse.cupspkhelper.mechanism.server-settings             auth_admin_keep
org.opensuse.cupspkhelper.mechanism.printeraddremove            auth_admin_keep
org.opensuse.cupspkhelper.mechanism.job-edit                    auth_admin:auth_admin:yes
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit          auth_admin_keep
org.opensuse.cupspkhelper.mechanism.devices-get                 auth_admin_keep
org.opensuse.cupspkhelper.mechanism.all-edit                    auth_admin_keep

# RealTimeKit (bsc#753849)
org.freedesktop.RealtimeKit1.acquire-high-priority              no:auth_admin:auth_admin
org.freedesktop.RealtimeKit1.acquire-real-time                  no:auth_admin:auth_admin

# polkit-1
org.freedesktop.policykit.exec                                  auth_admin
# this is only for an example progam
org.freedesktop.policykit.example.pkexec.run-frobnicate         no:no:auth_admin_keep

# udisks2 (bsc#742751)
org.freedesktop.udisks2.filesystem-mount-system                 auth_admin
org.freedesktop.udisks2.filesystem-fstab                        auth_admin
org.freedesktop.udisks2.filesystem-unmount-others               auth_admin
org.freedesktop.udisks2.encrypted-unlock-system                 auth_admin
org.freedesktop.udisks2.encrypted-unlock-crypttab               auth_admin
org.freedesktop.udisks2.encrypted-lock-others                   auth_admin
org.freedesktop.udisks2.encrypted-change-passphrase-system      auth_admin
org.freedesktop.udisks2.loop-delete-others                      auth_admin
org.freedesktop.udisks2.manage-swapspace                        auth_admin
org.freedesktop.udisks2.modify-device-system                    auth_admin
org.freedesktop.udisks2.open-device                             auth_admin
org.freedesktop.udisks2.open-device-system                      auth_admin
org.freedesktop.udisks2.modify-system-configuration             auth_admin
org.freedesktop.udisks2.read-system-configuration-secrets       auth_admin
org.freedesktop.udisks2.ata-smart-selftest                      auth_admin
org.freedesktop.udisks2.filesystem-mount                        auth_admin
org.freedesktop.udisks2.encrypted-unlock                        auth_admin
org.freedesktop.udisks2.encrypted-change-passphrase             auth_admin
org.freedesktop.udisks2.loop-setup                              auth_admin
org.freedesktop.udisks2.modify-device                           auth_admin
org.freedesktop.udisks2.ata-smart-update                        auth_admin
# (bsc#761872)
org.freedesktop.udisks2.eject-media                             auth_admin
org.freedesktop.udisks2.filesystem-mount-other-seat             auth_admin
org.freedesktop.udisks2.encrypted-unlock-other-seat             auth_admin
org.freedesktop.udisks2.loop-modify-others                      auth_admin
org.freedesktop.udisks2.eject-media-system                      auth_admin
org.freedesktop.udisks2.eject-media-other-seat                  auth_admin
org.freedesktop.udisks2.modify-device-other-seat                auth_admin
# (bsc#779404)
# root only parts
org.freedesktop.udisks2.modify-drive-settings                   auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-smart-simulate                      auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-standby-system                      auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-standby-other-seat                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-secure-erase                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.cancel-job-other-user                   auth_admin:auth_admin:auth_admin_keep
# these want desktop user perms
org.freedesktop.udisks2.rescan                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-check-power                         auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-standby                             auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.cancel-job                              auth_admin:auth_admin:auth_admin_keep
# bsc#1073216
org.freedesktop.udisks2.btrfs.manage-btrfs                      auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.filesystem-take-ownership               auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.lvm2.manage-lvm                         auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.lsm.manage-led                          auth_admin:auth_admin:auth_admin_keep
# bsc#1214897
org.freedesktop.udisks2.filesystem-mount-other-user             auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-smart-selftest                     auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-sanitize                           auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-format-namespace                   auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-connect                            auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-disconnect                         auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-set-hostnqn-id                     auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.nvme-smart-update                       auth_admin:auth_admin:auth_admin_keep

# KDE stuff
org.kde.fontinst.manage                                         no:no:auth_admin_keep
org.kde.kcontrol.kcmclock.save                                  no:no:auth_admin
org.kde.ksysguard.processlisthelper.changecpuscheduler          no:no:auth_admin
org.kde.ksysguard.processlisthelper.changeioscheduler           no:no:auth_admin
org.kde.ksysguard.processlisthelper.renice                      no:no:auth_admin
org.kde.ksysguard.processlisthelper.sendsignal                  no:no:auth_admin
# kde backlight helper (bsc#672145)
org.kde.powerdevil.backlighthelper.brightness                   no:auth_admin:yes
org.kde.powerdevil.backlighthelper.setbrightness                no:no:yes
# powerdevil (bsc#825256)
org.kde.powerdevil.backlighthelper.syspath                      no:yes:yes
# KDE5 powerdevil (bsc#912121, bsc#927275)
org.kde.powerdevil.backlighthelper.brightnessmax                no:yes:yes
# kde powerdevil gpu helper (bsc#1019748, bsc#1026038)
org.kde.powerdevil.discretegpuhelper.hasdualgpu                 no:no:yes
# KDE battery charge threshold control (bsc#1176474)
org.kde.powerdevil.chargethresholdhelper.getthreshold           no:auth_admin:yes
org.kde.powerdevil.chargethresholdhelper.setthreshold           no:no:auth_admin
# powerdevil battery conservation mode (bsc#1226424)
org.kde.powerdevil.chargethresholdhelper.getconservationmode    no:yes:yes
org.kde.powerdevil.chargethresholdhelper.setconservationmode    no:no:auth_admin
# kdepim4/kalarm (bsc#707723, bsc#1087714 (renamed from kalarmrtcwake))
org.kde.kalarm.rtcwake.settimer                                 auth_admin_keep
# sddm kcm operation (bsc#904313)
org.kde.kcontrol.kcmsddm.save                                   auth_admin
# sddm kcm (bsc#1065563)
org.kde.kcontrol.kcmsddm.installtheme                           no:no:auth_admin_keep
org.kde.kcontrol.kcmsddm.uninstalltheme                         no:no:auth_admin_keep
# sddm kcm incremental addition (bsc#1145182)
org.kde.kcontrol.kcmsddm.reset                                  no:no:auth_admin
org.kde.kcontrol.kcmsddm.sync                                   no:no:auth_admin
# KDE smartctl helper (bsc#1176742)
org.kde.kded.smart.smartctl                                     no:no:auth_admin
# kinfocenter5 (bsc#1199735)
org.kde.kinfocenter.dmidecode.systeminformation                 no:yes:yes
# kinfocenter6 (bsc#1231659)
org.kde.kinfocenter.dmidecode.memoryinformation                 no:no:yes
# kde-inotify-survey (bsc#1208689)
org.kde.kded.inotify.increaseinstancelimit                      no:no:auth_admin
org.kde.kded.inotify.increasewatchlimit                         no:no:auth_admin
# drkonqi6 (bsc#1220190)
org.kde.drkonqi.saveCoreToFile                                  no:no:auth_admin
# kdeplasma-addons-kameleon (bsc#1226306)
org.kde.kameleonhelper.writecolor                               no:no:yes
# privileged file operations in KDE used e.g. in Dolphin (bsc#1229913)
org.kde.kio.admin.commands                                      no:no:auth_admin_keep

# systemd (bsc#641924)
org.freedesktop.hostname1.set-hostname                          auth_admin
org.freedesktop.hostname1.set-static-hostname                   auth_admin
org.freedesktop.hostname1.set-machine-info                      auth_admin
org.freedesktop.systemd1.reply-password                         auth_admin
org.freedesktop.timedate1.set-time                              auth_admin_keep
org.freedesktop.timedate1.set-timezone                          auth_admin_keep
org.freedesktop.timedate1.set-ntp                               auth_admin_keep
org.freedesktop.timedate1.set-local-rtc                         auth_admin_keep
org.freedesktop.locale1.set-locale                              auth_admin_keep
org.freedesktop.locale1.set-keyboard                            auth_admin_keep
org.freedesktop.login1.attach-device                            auth_admin_keep
org.freedesktop.login1.flush-devices                            auth_admin_keep
org.freedesktop.login1.power-off                                auth_admin_keep
org.freedesktop.login1.power-off-multiple-sessions              auth_admin_keep
org.freedesktop.login1.reboot                                   auth_admin_keep
org.freedesktop.login1.reboot-multiple-sessions                 auth_admin_keep
org.freedesktop.login1.set-user-linger                          auth_admin_keep
org.freedesktop.login1.set-self-linger                          yes
# systemd additions I (bsc#783897)
org.freedesktop.login1.power-off-ignore-inhibit                 auth_admin_keep
org.freedesktop.login1.reboot-ignore-inhibit                    auth_admin_keep
org.freedesktop.login1.suspend-ignore-inhibit                   auth_admin_keep
org.freedesktop.login1.hibernate-multiple-sessions              auth_admin_keep
org.freedesktop.login1.hibernate-ignore-inhibit                 auth_admin_keep
# systemd additions II
org.freedesktop.login1.inhibit-block-shutdown                   no:yes:yes
org.freedesktop.login1.inhibit-block-sleep                      no:yes:yes
org.freedesktop.login1.inhibit-handle-power-key                 no:yes:yes
org.freedesktop.login1.inhibit-handle-suspend-key               no:yes:yes
org.freedesktop.login1.inhibit-handle-hibernate-key             no:yes:yes
org.freedesktop.login1.inhibit-handle-lid-switch                no:yes:yes
# systemd additions III
org.freedesktop.login1.inhibit-delay-shutdown                   yes
org.freedesktop.login1.inhibit-delay-sleep                      yes
org.freedesktop.login1.inhibit-block-idle                       yes
org.freedesktop.login1.suspend                                  auth_admin_keep:auth_admin_keep:yes
org.freedesktop.login1.suspend-multiple-sessions                auth_admin_keep:auth_admin_keep:yes
org.freedesktop.login1.hibernate                                auth_admin_keep:auth_admin_keep:yes
# bsc#955626
org.freedesktop.systemd1.set-environment                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.login                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.shell                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.host-shell                             auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.open-pty                               auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.host-open-pty                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.manage-machines                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.machine1.manage-images                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.login1.manage                                   auth_admin_keep
org.freedesktop.login1.lock-sessions                            auth_admin_keep
org.freedesktop.login1.set-reboot-to-firmware-setup             auth_admin_keep
org.freedesktop.login1.set-wall-message                         auth_admin_keep
org.freedesktop.machine1.host-login                             auth_admin:auth_admin:yes
# v257 addition (bsc#1233295)
org.freedesktop.machine1.create-machine                         auth_admin:auth_admin:auth_admin
# v258 addition (bsc#1250893)
org.freedesktop.machine1.register-machine                       no:auth_admin:auth_admin_keep
# systemd follow-up for resolve actions (bsc#1096907)
org.freedesktop.resolve1.register-service                       auth_admin
org.freedesktop.resolve1.unregister-service                     auth_admin
# resolve actions from bsc#1149216
org.freedesktop.resolve1.revert                                 auth_admin
org.freedesktop.resolve1.set-dnssec-negative-trust-anchors      auth_admin
org.freedesktop.resolve1.set-dnssec                             auth_admin
org.freedesktop.resolve1.set-dns-over-tls                       auth_admin
org.freedesktop.resolve1.set-mdns                               auth_admin
org.freedesktop.resolve1.set-llmnr                              auth_admin
org.freedesktop.resolve1.set-default-route                      auth_admin
org.freedesktop.resolve1.set-domains                            auth_admin
org.freedesktop.resolve1.set-dns-servers                        auth_admin
# v257 addition (bsc#1233295)
org.freedesktop.resolve1.subscribe-query-results                auth_admin:auth_admin:auth_admin_keep
org.freedesktop.resolve1.dump-cache                             auth_admin:auth_admin:auth_admin_keep
org.freedesktop.resolve1.dump-server-state                      auth_admin:auth_admin:auth_admin_keep
org.freedesktop.resolve1.dump-statistics                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.resolve1.reset-statistics                       auth_admin:auth_admin:auth_admin_keep
# v258 addition (bsc#1250880)
org.freedesktop.resolve1.subscribe-dns-configuration            auth_admin:auth_admin:auth_admin_keep
# systemd get-product-uuid incremental addition (bsc#1127847)
org.freedesktop.hostname1.get-product-uuid                      auth_admin
# systemd org.freedesktop.login1.* services (bsc#1133843)
org.freedesktop.login1.set-reboot-parameter                     auth_admin_keep
org.freedesktop.login1.set-reboot-to-boot-loader-entry          auth_admin_keep
org.freedesktop.login1.set-reboot-to-boot-loader-menu           auth_admin_keep
# portabled (boo#1145639)
org.freedesktop.portable1.attach-images                         auth_admin
org.freedesktop.portable1.inspect-images                        auth_admin
org.freedesktop.portable1.manage-images                         auth_admin
# networkd (boo#1146300)
org.freedesktop.network1.revert-dns                             auth_admin
org.freedesktop.network1.revert-ntp                             auth_admin
org.freedesktop.network1.set-default-route                      auth_admin
org.freedesktop.network1.set-dns-over-tls                       auth_admin
org.freedesktop.network1.set-dns-servers                        auth_admin
org.freedesktop.network1.set-dnssec                             auth_admin
org.freedesktop.network1.set-dnssec-negative-trust-anchors      auth_admin
org.freedesktop.network1.set-domains                            auth_admin
org.freedesktop.network1.set-llmnr                              auth_admin
org.freedesktop.network1.set-mdns                               auth_admin
org.freedesktop.network1.set-ntp-servers                        auth_admin
# networkd follow-up (bsc#1161328)
org.freedesktop.network1.reconfigure                            auth_admin:auth_admin:auth_admin
org.freedesktop.network1.reload                                 auth_admin:auth_admin:auth_admin
org.freedesktop.network1.renew                                  auth_admin:auth_admin:auth_admin
# systemd new things in 218
org.freedesktop.systemd1.manage-units                           auth_admin:auth_admin:auth_admin_keep
org.freedesktop.systemd1.manage-unit-files                      auth_admin:auth_admin:auth_admin_keep
org.freedesktop.systemd1.reload-daemon                          auth_admin:auth_admin:auth_admin_keep
# systemd, systemd-mini (bsc#1087328)
org.freedesktop.login1.halt                                     auth_admin_keep
org.freedesktop.login1.halt-ignore-inhibit                      auth_admin_keep
org.freedesktop.login1.halt-multiple-sessions                   auth_admin_keep
# chvt action in systemd-logind (bsc#1167542)
org.freedesktop.login1.chvt                                     auth_admin_keep:auth_admin_keep:yes
# incremental addition for DHCP forced renew (bsc#1176215)
org.freedesktop.network1.forcerenew                             auth_admin:auth_admin:auth_admin_keep
# incremental addition to handle reboot key events (bsc#1185468)
org.freedesktop.login1.inhibit-handle-reboot-key                no:auth_self:yes

# systemd homed (boo#1185285)
org.freedesktop.home1.authenticate-home                         auth_admin
org.freedesktop.home1.create-home                               auth_admin
org.freedesktop.home1.passwd-home                               auth_admin
org.freedesktop.home1.remove-home                               auth_admin
org.freedesktop.home1.resize-home                               auth_admin
org.freedesktop.home1.update-home                               auth_admin
# v257 addition (bsc#1233295)
org.freedesktop.home1.update-home-by-owner                      auth_admin_keep:auth_admin_keep:yes
# v258 addition (bsc#1250884)
org.freedesktop.home1.manage-signing-keys                       no:auth_admin:auth_admin

# systemd timesync1, hostname1 (bsc#1200098)
org.freedesktop.timesync1.set-runtime-servers                   auth_admin:auth_admin:auth_admin
org.freedesktop.hostname1.get-hardware-serial                   auth_admin_keep
org.freedesktop.hostname1.get-description                       auth_admin_keep

# systemd Dump*() rate-limiting (bsc#1211978)
org.freedesktop.systemd1.bypass-dump-ratelimit auth_admin:auth_admin:auth_admin_keep

# systemd new policies in v256 (bsc#1225317)
io.systemd.credentials.decrypt                                  auth_admin_keep:auth_admin_keep:auth_admin_keep
io.systemd.credentials.encrypt                                  auth_admin_keep:auth_admin_keep:auth_admin_keep
io.systemd.mount-file-system.mount-image                        auth_admin_keep:auth_admin_keep:auth_admin_keep
io.systemd.mount-file-system.mount-image-privately              auth_admin_keep:auth_admin_keep:auth_admin_keep
io.systemd.mount-file-system.mount-untrusted-image              auth_admin:auth_admin:auth_admin
io.systemd.mount-file-system.mount-untrusted-image-privately    auth_admin:auth_admin:auth_admin
org.freedesktop.home1.activate-home                             auth_admin_keep:auth_admin_keep:auth_admin_keep
org.freedesktop.import1.cancel                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.network1.set-persistent-storage                 auth_admin:auth_admin:auth_admin_keep

# GNOME control-center (bsc#927508)
org.gnome.controlcenter.remote-login-helper                     no:no:auth_admin
# GNOME control-center (bsc#779938)
org.gnome.controlcenter.user-accounts.administration            no:no:auth_admin_keep
org.gnome.controlcenter.datetime.configure                      no:no:auth_admin_keep
# gnome-control-center enable remote login on systemd level (bsc#1220862)
org.gnome.controlcenter.remote-session-helper                   no:no:auth_admin_keep

# budgie-control-center (bsc#1195023)
org.buddiesofbudgie.controlcenter.datetime.configure		no:no:auth_admin_keep
org.buddiesofbudgie.controlcenter.remote-login-helper		no:no:auth_admin_keep
org.buddiesofbudgie.controlcenter.user-accounts.administration	no:no:auth_admin_keep

# gnome-power-manager/gnome-settings-daemon (bsc#650401, bsc#712841)
org.gnome.settings-daemon.plugins.power.backlight-helper        no:no:yes
# xfce4-power-manager (bsc#665169)
# code is copy&paste from gnome-power-manager
org.xfce.power.backlight-helper                                 no:no:yes
# run mousepad editor as root (bsc#1232231)
# this must never be relaxed to anything weaker than auth_admin, since command
# line arguments can be used to run user controlled code (via --gtk-module)
org.xfce.mousepad                                               no:no:auth_admin

# cinnamon settings-daemon (bsc#951830)
org.cinnamon.settings-daemon.plugins.power.backlight-helper     no:no:yes
org.cinnamon.settingsdaemon.datetimemechanism.configure         no:no:auth_admin_keep
# cinnamon settings-daemon (bsc#1083067)
org.cinnamon.settings-users                                     auth_admin
# cinnamon-settings-daemon (bsc#1186845)
org.cinnamon.settings-daemon.plugins.wacom.wacom-led-helper     no:no:auth_admin_keep
# cinnamon-settings-daemon (bsc#1217532)
org.cinnamon.settings-daemon.plugins.wacom.wacom-oled-helper    no:no:auth_admin_keep

# hp-drive-guard
com.hp.driveguard.toggle                                        no:no:auth_admin
com.hp.driveguard.install-setup                                 no:no:auth_admin

# ModemManager1 (bsc#798273, bsc#948728)
org.freedesktop.ModemManager1.Control                           no:no:auth_admin
org.freedesktop.ModemManager1.Device.Control                    no:no:auth_self_keep
org.freedesktop.ModemManager1.Contacts                          no:no:auth_self_keep
org.freedesktop.ModemManager1.Messaging                         no:no:auth_self_keep
org.freedesktop.ModemManager1.Location                          no:no:auth_self_keep
org.freedesktop.ModemManager1.Firmware                          no:no:auth_admin
org.freedesktop.ModemManager1.USSD                              no:no:auth_self_keep
# bsc#976945
org.freedesktop.ModemManager1.Voice                             no:no:auth_admin_keep
# bsc#1156961
org.freedesktop.ModemManager1.Time                              no:no:auth_self_keep
# bsc#1243684
org.freedesktop.ModemManager1.CellBroadcast                     no:no:auth_self_keep

# urfkill (bsc#688328)
org.freedesktop.urfkill.block                                   no:no:auth_admin
org.freedesktop.urfkill.blockidx                                no:no:auth_admin
# urfkill (bsc#926288)
org.freedesktop.urfkill.flight_mode                             no:no:auth_admin

# account services (bsc#676638, bsc#1125110)
org.freedesktop.accounts.user-administration                    auth_admin:auth_admin:auth_admin_keep
org.freedesktop.accounts.set-login-option                       auth_admin
org.freedesktop.accounts.change-own-user-data                   auth_self:yes:yes
# bsc#1088780
org.freedesktop.accounts.change-own-password                    auth_admin
# lightdm (uses accountsservice extension system, bsc#1089436)
org.freedesktop.DisplayManager.AccountsService.ModifyAny        no
org.freedesktop.DisplayManager.AccountsService.ModifyOwn        auth_self
org.freedesktop.DisplayManager.AccountsService.ReadAny          auth_admin:auth_admin:yes

# gparted (bsc#810888)
org.opensuse.policykit.gparted                                  auth_admin

# udisks2 (bsc#809277)
org.freedesktop.udisks2.manage-md-raid                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.power-off-drive-system                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.power-off-drive-other-seat              auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.ata-smart-enable-disable                auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.power-off-drive                         auth_admin:auth_admin:yes

# fprintfd (bsc#792095, bsc#850807)
net.reactivated.fprint.device.verify                            no:no:yes
net.reactivated.fprint.device.enroll                            no:no:auth_self_keep
net.reactivated.fprint.device.setusername                       no:no:auth_admin_keep

# gnome-system-monitor (bsc#822011)
org.gnome.gnome-system-monitor.kill                             no:no:auth_admin
org.gnome.gnome-system-monitor.renice                           no:no:auth_admin

# libvirt
org.libvirt.unix.monitor                                        auth_admin:auth_admin_keep:yes
org.libvirt.unix.manage                                         auth_admin_keep
# libvirt (bsc#827644) (original wants yes:yes:yes)
org.libvirt.api.connect.getattr                                 auth_admin_keep
org.libvirt.api.connect.read                                    auth_admin_keep
org.libvirt.api.connect.search-domains                          auth_admin_keep
org.libvirt.api.connect.search-interfaces                       auth_admin_keep
org.libvirt.api.connect.search-networks                         auth_admin_keep
org.libvirt.api.connect.search-node-devices                     auth_admin_keep
org.libvirt.api.connect.search-nwfilters                        auth_admin_keep
org.libvirt.api.connect.search-secrets                          auth_admin_keep
org.libvirt.api.connect.search-storage-pools                    auth_admin_keep
org.libvirt.api.domain.getattr                                  auth_admin_keep
org.libvirt.api.domain.read                                     auth_admin_keep
org.libvirt.api.interface.getattr                               auth_admin_keep
org.libvirt.api.interface.read                                  auth_admin_keep
org.libvirt.api.network.getattr                                 auth_admin_keep
org.libvirt.api.network.read                                    auth_admin_keep
org.libvirt.api.node-device.getattr                             auth_admin_keep
org.libvirt.api.nwfilter.getattr                                auth_admin_keep
org.libvirt.api.nwfilter.read                                   auth_admin_keep
org.libvirt.api.secret.getattr                                  auth_admin_keep
org.libvirt.api.secret.read                                     auth_admin_keep
org.libvirt.api.storage-pool.getattr                            auth_admin_keep
org.libvirt.api.storage-pool.read                               auth_admin_keep
org.libvirt.api.storage-vol.getattr                             auth_admin_keep
org.libvirt.api.storage-vol.read                                auth_admin_keep
# libvirt (bsc#959297)
org.libvirt.api.connect.detect-storage-pools                    auth_admin_keep
org.libvirt.api.connect.interface-transaction                   auth_admin_keep
org.libvirt.api.connect.pm-control                              auth_admin_keep
org.libvirt.api.connect.write                                   auth_admin_keep
org.libvirt.api.domain.block-read                               auth_admin_keep
org.libvirt.api.domain.block-write                              auth_admin_keep
org.libvirt.api.domain.core-dump                                auth_admin_keep
org.libvirt.api.domain.delete                                   auth_admin_keep
org.libvirt.api.domain.fs-freeze                                auth_admin_keep
org.libvirt.api.domain.fs-trim                                  auth_admin_keep
org.libvirt.api.domain.hibernate                                auth_admin_keep
org.libvirt.api.domain.init-control                             auth_admin_keep
org.libvirt.api.domain.inject-nmi                               auth_admin_keep
org.libvirt.api.domain.mem-read                                 auth_admin_keep
org.libvirt.api.domain.migrate                                  auth_admin_keep
org.libvirt.api.domain.open-device                              auth_admin_keep
org.libvirt.api.domain.open-graphics                            auth_admin_keep
org.libvirt.api.domain.open-namespace                           auth_admin_keep
org.libvirt.api.domain.pm-control                               auth_admin_keep
org.libvirt.api.domain.read-secure                              auth_admin_keep
org.libvirt.api.domain.reset                                    auth_admin_keep
org.libvirt.api.domain.save                                     auth_admin_keep
org.libvirt.api.domain.screenshot                               auth_admin_keep
org.libvirt.api.domain.send-input                               auth_admin_keep
org.libvirt.api.domain.send-signal                              auth_admin_keep
org.libvirt.api.domain.set-password                             auth_admin_keep
org.libvirt.api.domain.set-time                                 auth_admin_keep
org.libvirt.api.domain.snapshot                                 auth_admin_keep
org.libvirt.api.domain.start                                    auth_admin_keep
org.libvirt.api.domain.stop                                     auth_admin_keep
org.libvirt.api.domain.suspend                                  auth_admin_keep
org.libvirt.api.domain.write                                    auth_admin_keep
org.libvirt.api.interface.delete                                auth_admin_keep
org.libvirt.api.interface.save                                  auth_admin_keep
org.libvirt.api.interface.start                                 auth_admin_keep
org.libvirt.api.interface.stop                                  auth_admin_keep
org.libvirt.api.interface.write                                 auth_admin_keep
org.libvirt.api.network.delete                                  auth_admin_keep
org.libvirt.api.network.save                                    auth_admin_keep
org.libvirt.api.network.start                                   auth_admin_keep
org.libvirt.api.network.stop                                    auth_admin_keep
org.libvirt.api.network.write                                   auth_admin_keep
org.libvirt.api.node-device.detach                              auth_admin_keep
org.libvirt.api.node-device.read                                auth_admin_keep
org.libvirt.api.node-device.start                               auth_admin_keep
org.libvirt.api.node-device.stop                                auth_admin_keep
org.libvirt.api.node-device.write                               auth_admin_keep
org.libvirt.api.nwfilter.delete                                 auth_admin_keep
org.libvirt.api.nwfilter.save                                   auth_admin_keep
org.libvirt.api.nwfilter.write                                  auth_admin_keep
org.libvirt.api.secret.delete                                   auth_admin_keep
org.libvirt.api.secret.read-secure                              auth_admin_keep
org.libvirt.api.secret.save                                     auth_admin_keep
org.libvirt.api.secret.write                                    auth_admin_keep
org.libvirt.api.storage-pool.delete                             auth_admin_keep
org.libvirt.api.storage-pool.format                             auth_admin_keep
org.libvirt.api.storage-pool.refresh                            auth_admin_keep
org.libvirt.api.storage-pool.save                               auth_admin_keep
org.libvirt.api.storage-pool.search-storage-vols                auth_admin_keep
org.libvirt.api.storage-pool.start                              auth_admin_keep
org.libvirt.api.storage-pool.stop                               auth_admin_keep
org.libvirt.api.storage-pool.write                              auth_admin_keep
org.libvirt.api.storage-vol.create                              auth_admin_keep
org.libvirt.api.storage-vol.data-read                           auth_admin_keep
org.libvirt.api.storage-vol.data-write                          auth_admin_keep
org.libvirt.api.storage-vol.delete                              auth_admin_keep
org.libvirt.api.storage-vol.format                              auth_admin_keep
org.libvirt.api.storage-vol.resize                              auth_admin_keep
# libvirt (bsc#1100328)
org.libvirt.api.connect.search-nwfilter-bindings                auth_admin_keep
# libvirt (bsc#1106813)
org.libvirt.api.nwfilter-binding.getattr                        auth_admin_keep
org.libvirt.api.nwfilter-binding.read                           auth_admin_keep
org.libvirt.api.nwfilter-binding.create                         no
org.libvirt.api.nwfilter-binding.delete                         no
# libvirt (bsc#1140151) addition of all no:no:no actions and two read-only actions
org.libvirt.api.network-port.create                             no
org.libvirt.api.network-port.delete                             no
org.libvirt.api.network-port.write                              no
org.libvirt.api.network.search-ports                            no
org.libvirt.api.network-port.getattr                            auth_self:yes:yes
org.libvirt.api.network-port.read                               auth_self:yes:yes
# libvirt (bsc#1144077) another no:no:no action
org.libvirt.api.domain.checkpoint                               no
# libvirt added node-device action (bsc#1186270)
org.libvirt.api.node-device.delete                              no:no:no
# addition of node-device.save (bsc#1221094)
org.libvirt.api.node-device.save                                no:no:no

# MATE settings-daemon (bsc#831404)
org.mate.settingsdaemon.datetimemechanism.settimezone           no:no:auth_admin_keep
org.mate.settingsdaemon.datetimemechanism.settime               no:no:auth_admin_keep
org.mate.settingsdaemon.datetimemechanism.configurehwclock      no:no:auth_admin_keep
org.mate.randr.install-system-wide                              no:no:auth_admin_keep
org.mate.power.backlight-helper                                 no:no:yes

# pcsc-lite (bsc#864178)
org.debian.pcsc-lite.access_pcsc                                no:no:yes
org.debian.pcsc-lite.access_card                                no:no:yes

# firewalld (bsc#907625)
org.fedoraproject.FirewallD1.all                                auth_admin_keep
org.fedoraproject.FirewallD1.info                               auth_admin_keep
org.fedoraproject.FirewallD1.config                             auth_admin_keep
org.fedoraproject.FirewallD1.config.info                        auth_admin_keep
org.fedoraproject.FirewallD1.direct                             auth_admin_keep
org.fedoraproject.FirewallD1.direct.info                        auth_admin_keep
org.fedoraproject.FirewallD1.policies                           auth_admin_keep
org.fedoraproject.FirewallD1.policies.info                      auth_admin_keep

# gnome-multi-writer (bsc#924062)
org.gnome.MultiWriter.probe                                     auth_admin:auth_admin:auth_admin_keep

# realmd (bsc#916767)
org.freedesktop.realmd.configure-realm                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.realmd.deconfigure-realm                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.realmd.login-policy                             auth_admin:auth_admin:auth_admin_keep
# realmd (bsc#1048025)
org.freedesktop.realmd.discover-realm                           no:auth_admin:auth_admin_keep

# importd (bsc#964935)
org.freedesktop.import1.import                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.import1.export                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.import1.pull                                    auth_admin:auth_admin:auth_admin_keep

# brltty (bsc#967436)
org.a11y.brlapi.write-display                                   no:no:auth_admin_keep

# sysprof (bsc#1151418)
org.gnome.sysprof3.profile                                      auth_admin_keep

# flatpak (bsc#984817)
org.freedesktop.Flatpak.app-install                             auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.runtime-install                         auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.runtime-uninstall                       auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.app-uninstall                           auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.configure-remote                        auth_admin:auth_admin:auth_admin
org.freedesktop.Flatpak.app-update                              auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.runtime-update                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.appstream-update                        auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.configure                               auth_admin:auth_admin:auth_admin_keep
# flatpak (bsc#1012961, bsc#1064011)
org.freedesktop.Flatpak.update-remote                           auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.install-bundle                          auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.modify-repo                             auth_admin:auth_admin:auth_admin_keep
# flatpak (bsc#1123653)
org.freedesktop.Flatpak.metadata-update                         auth_admin:auth_admin:auth_admin_keep
# flatpak (bsc#1161091)
org.freedesktop.Flatpak.override-parental-controls              auth_admin:auth_admin:auth_admin
# update of app which is restricted by parental controls (bsc#1243046)
org.freedesktop.Flatpak.override-parental-controls-update       auth_admin:auth_admin:yes

# blueman (bsc#987141)
org.blueman.network.setup                                       auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.dhcp.client                                         auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.pppd.pppconnect                                     auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.rfkill.setstate                                     auth_admin:auth_admin_keep:auth_admin_keep

# tuned (bsc#1007279)
com.redhat.tuned.active_profile                                 yes
com.redhat.tuned.disable                                        auth_admin:auth_admin:auth_admin
com.redhat.tuned.is_running                                     yes
com.redhat.tuned.profile_info                                   yes
com.redhat.tuned.profiles                                       yes
com.redhat.tuned.profiles2                                      yes
com.redhat.tuned.recommend_profile                              yes
com.redhat.tuned.reload                                         auth_admin:auth_admin:auth_admin
com.redhat.tuned.start                                          auth_admin:auth_admin:auth_admin
com.redhat.tuned.stop                                           auth_admin:auth_admin:auth_admin
com.redhat.tuned.switch_profile                                 auth_admin:auth_admin:yes
# tuned (bsc#1048961)
com.redhat.tuned.verify_profile                                 yes:yes:yes
com.redhat.tuned.verify_profile_ignore_missing                  yes:yes:yes
# tuned (bsc#1088648)
com.redhat.tuned.auto_profile                                   auth_admin:auth_admin:yes
com.redhat.tuned.profile_mode                                   yes:yes:yes
# tuned (bsc#1118117)
com.redhat.tuned.log_capture_finish                             auth_admin:auth_admin:yes
com.redhat.tuned.log_capture_start                              auth_admin:auth_admin:yes
# tuned (bsc#1131858)
com.redhat.tuned.get_all_plugins                                auth_admin:auth_admin:yes
com.redhat.tuned.get_plugin_documentation                       auth_admin:auth_admin:yes
com.redhat.tuned.get_plugin_hints                               auth_admin:auth_admin:yes
# incremental addition (bsc#1185418)
com.redhat.tuned.post_loaded_profile                            yes:yes:yes
# addition of acquire_devices method (bsc#1208727)
com.redhat.tuned.instance_acquire_devices                       auth_admin:auth_admin:auth_admin
# additional getter methods (bsc#1220081)
com.redhat.tuned.get_instances                                  auth_admin:auth_admin:yes
com.redhat.tuned.instance_get_devices                           auth_admin:auth_admin:yes
# additional instance create/destroy and PPD methods (bsc#1232412)
com.redhat.tuned.instance_create                                auth_admin:auth_admin:auth_admin
com.redhat.tuned.instance_destroy                               auth_admin:auth_admin:auth_admin
# tuned-ppd (bsc#1236029)
# renamed some actions & compatibility with UPower interface
net.hadess.PowerProfiles.hold-profile                           no:no:yes
net.hadess.PowerProfiles.release-profile                        no:no:yes
net.hadess.PowerProfiles.switch-profile                         no:no:yes
# this action is currently only found in tuned-ppd.
# once upower-daemon implements it, this should be moved into the UPower section
org.freedesktop.UPower.PowerProfiles.release-profile            no:no:yes

# backintime (bsc#1007723)
net.launchpad.backintime.UdevRuleSave                           auth_admin:auth_admin:auth_admin
net.launchpad.backintime.UdevRuleDelete                         auth_admin:auth_admin:auth_admin
# backintime changed name in qt5 (bsc#1133680)
net.launchpad.backintime.qtgui                                  auth_admin:auth_admin:auth_admin

# fwupd (bsc#932807)
org.freedesktop.fwupd.update-internal                           auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.downgrade-internal                        auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-hotplug                            auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.downgrade-hotplug                         auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.device-unlock                             auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.verify-update                             auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-internal-trusted                   auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-hotplug-trusted                    auth_admin:no:auth_admin_keep
# fwupd (bsc#1083022)
org.freedesktop.fwupd.modify-remote                             auth_admin:no:auth_admin_keep
# fwupd (bsc#1133082)
org.freedesktop.fwupd.device-activate                           auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.self-sign                                 auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.set-approved-firmware                     auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.modify-config                             auth_admin:no:auth_admin_keep
# fwupd (bsc#1193310)
org.freedesktop.fwupd.downgrade-internal-trusted                auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.downgrade-hotplug-trusted                 auth_admin:no:auth_admin_keep
# fwupd (bsc#1204026)
org.freedesktop.fwupd.get-bios-settings                         auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.set-bios-settings                         auth_admin:no:auth_admin
# fwupd (bsc#1216832)
org.freedesktop.fwupd.fix-host-security-attr                    auth_admin:no:auth_admin
org.freedesktop.fwupd.undo-host-security-attr                   auth_admin:no:auth_admin
# fwupd 2.0 update (bsc#1235659)
org.freedesktop.fwupd.quit                                      auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.reset-config                              auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.emulation-save                            auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.emulation-tag                             auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.emulation-load                            auth_admin:no:auth_admin_keep

# connman (bsc#1057697)
net.connman.modify                                              auth_admin_keep
net.connman.vpn.modify                                          auth_admin_keep
# connman (bsc#1083069)
net.connman.secret                                              no:no:auth_admin_keep
net.connman.vpn.secret                                          no:no:auth_admin_keep

# gsmartcontrol (bsc#1084693)
org.gsmartcontrol                                               auth_admin

# gvfs (bsc#1073214)
org.gtk.vfs.file-operations                                     no:no:auth_admin_keep
org.gtk.vfs.file-operations-helper                              no:no:auth_admin_keep

# laptop-mode-tools (bsc#1084695)
org.linux.lmt.gui.policy                                        auth_admin

# mate-system-monitor (bsc#1084701)
org.mate.mate-system-monitor.kill                               no:no:auth_admin
org.mate.mate-system-monitor.renice                             no:no:auth_admin

# nemo (bsc#1084702)
org.nemo.root                                                   no:no:auth_admin_keep
# nemo-extensions (bsc#1084703)
org.nemo-share.samba_install                                    no:no:auth_admin_keep

# spice-gtk (bsc#1083025)
org.spice-space.lowlevelusbaccess                               no:no:auth_admin

# bleachbit (bsc#1087326)
org.bleachbit                                                   auth_admin

# liblxqt (backlight backend helper, bsc#1092192)
org.lxqt.backlight.pkexec                                       no:no:yes

# gamemode (bsc#1093979): this is now bound to gamemode group membership
# established in  custom polkit rules in 40-gamemode.rules
com.feralinteractive.GameMode.governor-helper                   no:no:no
# additional gpuclockctl (bsc#1129967)
com.feralinteractive.GameMode.gpu-helper                        no:no:no
# additional cpu and procsys helpers (bsc#1217915)
com.feralinteractive.GameMode.cpu-helper                        no:no:no
com.feralinteractive.GameMode.procsys-helper                    no:no:no

# meson (bsc#1103811)
com.mesonbuild.install.run                                      no:no:auth_admin

# bolt (bsc#1119975)
org.freedesktop.bolt.authorize                                  auth_admin:auth_admin:auth_admin_keep
org.freedesktop.bolt.enroll                                     auth_admin:auth_admin:auth_admin_keep
org.freedesktop.bolt.manage                                     auth_admin:auth_admin:auth_admin_keep

# luckybackup (bsc#1120403)
# Don't relax this, it runs rsync with arbitrary parameters
net.luckybackup.su                                              auth_admin

# lightdm-gtk-greeter-settings (bsc#1135695)
com.ubuntu.pkexec.lightdm-gtk-greeter-settings                  auth_admin

# calamares run as root in X11 (bsc#1143147)
com.github.calamares.calamares.pkexec.run                       no:no:auth_admin

# backup tool that needs root privilege escalation via pkexec (bsc#1165436)
in.teejeetech.pkexec.timeshift-gtk                              auth_admin:auth_admin:auth_admin
in.teejeetech.pkexec.timeshift                                  auth_admin:auth_admin:auth_admin

# cockpit uses polkit to gain additional privileges on demand (bsc#1169614)
org.cockpit-project.cockpit.root-bridge                         auth_admin:auth_admin:auth_admin

# GNOME parental controls, accountservice extensions (bsc#1177974)
com.endlessm.ParentalControls.AccountInfo.ReadAny               auth_admin:auth_admin:yes
com.endlessm.ParentalControls.AppFilter.ReadOwn                 yes:yes:yes
com.endlessm.ParentalControls.SessionLimits.ReadOwn             yes:yes:yes
com.endlessm.ParentalControls.AccountInfo.ChangeAny             no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.AccountInfo.ChangeOwn             no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.AppFilter.ChangeAny               no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.AppFilter.ChangeOwn               no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.AppFilter.ReadAny                 no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.SessionLimits.ChangeAny           no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.SessionLimits.ChangeOwn           no:auth_admin:auth_admin_keep
com.endlessm.ParentalControls.SessionLimits.ReadAny             no:auth_admin:auth_admin_keep
org.freedesktop.MalcontentControl.administration                no:no:auth_admin
com.endlessm.ParentalControls.AccountInfo.ReadOwn               yes:yes:yes

# kdenetwork-filesharing, Samba configuration (bsc#1175633)
org.kde.filesharing.samba.isuserknown                           no:auth_admin_keep:auth_admin_keep
org.kde.filesharing.samba.createuser                            auth_admin:auth_admin:auth_admin
org.kde.filesharing.samba.addtogroup                            auth_admin:auth_admin:auth_admin

# KDiskMark, HDD/SSD benchmark tool (bsc#1182521, bsc#1202725)
dev.jonmagon.kdiskmark.helper.init                              no:no:auth_admin

# setroubleshoot (boo#1186344)
org.fedoraproject.setroubleshootfixit.write                     auth_admin

#  zypp-gui repository manager (bsc#1188364)
zypp.gui.pkexec.run no:no:auth_admin_keep

# a daemon that deals with system power settings (bsc#1189900, bsc#1219957)
org.freedesktop.UPower.PowerProfiles.switch-profile no:no:yes
org.freedesktop.UPower.PowerProfiles.hold-profile no:no:yes
# added charging-limit action (bsc#1232835)
org.freedesktop.UPower.enable-charging-limit no:no:yes
# added configure-action & configure-battery-aware (bsc#1240862)
org.freedesktop.UPower.PowerProfiles.configure-action no:no:yes
org.freedesktop.UPower.PowerProfiles.configure-battery-aware no:no:yes

# kcron dbus helper (bsc#1193945)
local.kcron.crontab.save no:no:auth_admin

# preliminary whitelisting of shaky partitioning service (bsc#1178848, bsc#1203315)
org.kde.kpmcore.externalcommand.init no:no:auth_admin_keep

# D-Bus bridge connecting towards the custom IPC protocol of usbguard (bsc#1196621)
org.usbguard.Policy1.listRules no:no:auth_admin_keep
org.usbguard.Devices1.listDevices no:no:auth_admin_keep
org.usbguard1.getParameter no:no:auth_admin_keep
org.usbguard.Policy1.appendRule no:no:auth_admin
org.usbguard.Policy1.removeRule no:no:auth_admin
org.usbguard.Devices1.applyDevicePolicy no:no:auth_admin
org.usbguard1.setParameter no:no:auth_admin

# iio-sensor-proxy sensor access (bsc#1201558)
net.hadess.SensorProxy.claim-sensor no:no:yes

# policycoreutils-dbus (bsc#1213435)
org.selinux.config.pkexec.run no:no:auth_admin
org.selinux.restorecon no:no:auth_admin_keep
org.selinux.setenforce no:no:auth_admin_keep
org.selinux.semanage no:no:auth_admin_keep
org.selinux.customized no:no:auth_admin_keep
org.selinux.semodule_list no:no:auth_admin_keep
org.selinux.relabel_on_boot no:no:auth_admin_keep
org.selinux.change_default_policy no:no:auth_admin_keep
org.selinux.change_default_mode no:no:auth_admin_keep

# dnf5daemon-server (bsc#1218327, bsc#1245451)
org.rpm.dnf.v0.rpm.Repo.conf_write auth_admin:auth_admin:auth_admin
org.rpm.dnf.v0.rpm.execute_transaction auth_admin:auth_admin:auth_admin
org.rpm.dnf.v0.rpm.execute_trusted_transaction auth_admin:auth_admin:auth_admin
org.rpm.dnf.v0.rpm.Repo.confirm_key auth_admin:auth_admin:auth_admin
org.rpm.dnf.v0.base.Config.override auth_admin:auth_admin:auth_admin

#  system wide RDP daemon for display manager access (bsc#1222159)
org.gnome.remotedesktop.configure-system-daemon auth_admin:auth_admin:auth_admin
org.gnome.remotedesktop.enable-system-daemon auth_admin:auth_admin:auth_admin

# timekpr-next admin interface (bsc#1234134)
com.ubuntu.timekpr.pkexec auth_admin:auth_admin:auth_admin

# update management of operating system assets like containers (bsc#1237106)
org.freedesktop.sysupdate1.check auth_admin:auth_admin:yes
org.freedesktop.sysupdate1.update auth_admin:auth_admin:auth_admin_keep
org.freedesktop.sysupdate1.update-to-version auth_admin:auth_admin:auth_admin_keep
org.freedesktop.sysupdate1.vacuum auth_admin:auth_admin:auth_admin_keep
org.freedesktop.sysupdate1.manage-features auth_admin:auth_admin:auth_admin_keep

# apparmor-utils: helper to whitelist violations found in the audit.log (bsc#1237329)
net.apparmor.pkexec.aa-notify.modify_profile auth_admin:auth_admin:auth_admin
net.apparmor.pkexec.aa-notify.create_userns auth_admin:auth_admin:auth_admin

# clone of Gnome backlight helper (bsc#1248851)
org.gnome.mutter.backlight-helper no:no:yes
