Oh yeah great. So instead of locating setuid binaries and knowing that
*that* is my vulnerability surface, I have to parse a huge pile of XML and
hope that there are no bugs in policykit and dbus that might cause
unintended things to be run (and we know there have been *none* like that
before). The setuid implementation in the kernel is tiny and trivially
auditable by comparison, sharing virtually all its code with the
tested-to-death-and-hopefully-audited ELF execve() implementation.
PolicyKit has been done right once before. It was called 'userv'.
PolicyKit itself is a huge step backwards if you actually want security.