|
|
Two narrow defence-in-depth rules:
- 52-systemd-local-only: org.freedesktop.systemd1.* requires both
subject.local and subject.active. Wheel-via-sudo-rs is on a different
path (sudoers) and is not affected. Stops a non-active or remote
polkit caller from start/stop/restart of system units.
- 53-udisks-system-mount: filesystem-mount-system and modify-system
require subject.active. The everyday USB auto-mount path uses
filesystem-mount (no -system suffix) and is unaffected.
Audited against current workflow (virt-manager, networkctl, USB mount,
bluetoothctl, fwupdmgr) — none of these break.
|
sommerfeld