Why does rpm-ostree command not require super user privileges?

Fedora 36 Silverblue
Gnome Shell 42.2

I don’t need sudo to run rpm-ostree on my system. Is that normal and safe?

Feels like it can wreak a lot of havoc. Used to doing sudo dnf


it uses a polkit policy that allows administrators (which by default is anyone in the wheel group) to run it without super user privileges. if you have a second user that isn’t in the wheel group, it would require sudo

if you don’t like this behavior, you could override it in /etc/polkit-1/rules.d/org.projectatomic.rpmostree1.rules


Is there a way to configure it so that updating doesn’t need sudo access but layering does?