Here is an issue/ proposal of mine regarding polkit permissions for rpm-ostree.
Would you change anything, add anything?
The current implementation
- allows wheel to break the system without a password
- gives polkit password prompts for nonwheel users, resulting from auto updates
To make it work for nonwheel users, this is necessary.