Comment # 3 on bug 971580 from Markos Chandras

(In reply to Sebastian Krahmer from comment #2)
> This was by intention. Accessing firewall rules may not
> be something for the average user. Whats wrong with entering
> admin credentials when doing so?
> Which rules in particular you want to have relaxed for .standard?

Hi Sebastian,

If you compare the 'desktop' and 'server' polkit files as provided by the
firewalld package you will see that they only differ in the *.info actions (eg
org.fedoraproject.FirewallD1.policies.info). The desktop file is far more
relaxed in allowing users to obtain the current configuration without
authentication. Altering the configuration needs authentication of course.
I can provide the diff between these two files if needed.

This will affect desktop users using NetworkManager in the future (currently
firewalld is disabled in our NM builds) because it means that whenever you edit
or query a network connection for your user session you will have to gain extra
privileges in order for NM to talk to firewalld via dbus obtain the zone for
the network interface. I think this is not very user friendly for desktop
environments. For what is worth, Fedora (I am mentioning Fedora because it's
been using firewalld as default for a while) also uses the desktop polkit file
in the workstation builds so querying the firewall as a user is allowed there.

My understanding is that the restrictive file targets secure environments
(servers, secured workstations etc) and the standard one targets home-based
environments so the current behavior is probably not very user friendly for
regular users.