Best polkit permission set for rpm-ostree?

Here is an issue/ proposal of mine regarding polkit permissions for rpm-ostree.

Would you change anything, add anything?

The current implementation

  • allows wheel to break the system without a password
  • gives polkit password prompts for nonwheel users, resulting from auto updates

To make it work for nonwheel users, this is necessary.