From 8914e11968a934faa651311fd98a98a3a19218ae Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 3 Jun 2020 10:45:12 -0500
Subject: [PATCH] Allow admin users to remove packages without password prompt

A local, active admin user can install packages without a password
prompt, but has to enter the admin password to remove packages. This
doesn't make much sense. It should be parallel.

Note that this change has no effect on what users are able to do,
because it only applies to admin users. The password only protects
against unlocked workstation attackers, where an attacker gains physical
access to an unlocked desktop. It's pretty weird to prevent such an
attacker from removing software, but allow installing new stuff.

https://pagure.io/fedora-workstation/issue/233
---
 policy/org.freedesktop.packagekit.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/org.freedesktop.packagekit.rules b/policy/org.freedesktop.packagekit.rules
index 6a1c8a701..95d21925f 100644
--- a/policy/org.freedesktop.packagekit.rules
+++ b/policy/org.freedesktop.packagekit.rules
@@ -1,5 +1,6 @@
 polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.packagekit.package-install" &&
+    if ((action.id == "org.freedesktop.packagekit.package-install" ||
+         action.id == "org.freedesktop.packagekit.package-remove") &&
         subject.active == true && subject.local == true &&
         subject.isInGroup("wheel")) {
             return polkit.Result.YES;