Atomic Desktops: Drop compatibility for pkla polkit rules

Summary

Remove support for deprecated pkla polkit rules from all Fedora Atomic Desktops. All other ostree/bootable container images dropped it already.

Owner

• Name/Email: Timothée Ravier, siosm@fedoraproject.org

Current status

• Targeted release: Fedora Linux 44
• Last updated: 2026-02-10
• Announced
• Discussion thread
• FESCo issue: #3553
• Tracker bug: #2438551
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Compatibility support for the legacy pkla format of pokit rules has been moved to Recommends in f306ce1 polkit hogs cpu on every login/logout which landed in Fedora 41. At the exception of the Fedora Atomic Desktops, all ostree/bootable container systems disable recommends thus they dropped the polkit-pkla-compat package with the update to Fedora 41 (see for Fedora CoreOS). This change does it for the Atomic Destkops.

Feedback

This was initially suggested in F37: Make pkexec and pkla-compat optional which was rejected at the time (see discussion in https://pagure.io/fesco/issue/2766).

Since then:

• the polkit-pkla-compat package has been made optional by the polkit maintainer
• this change reduces the scope to Atomic Desktops only where we currently don't include any package using pkla legacy rules and leaves pkexec as is

Users that still want to use pkla rules can layer the polkit-pkla-compat package on their systems or build derived images.

However, it's likely that the ecosystem has moved on at this point:

• The last version of Debian with support for those rules is Debian 12 (oldstable) as Debian 13 (stable) dropped the package (https://packages.debian.org/bookworm/polkitd-pkla)
• The last version of Ubuntu with support for those rules is 24.04 (https://packages.ubuntu.com/search?suite=noble&searchon=names&keywords=pkla) and the package has not been included by default since Ubuntu 24.04 (at least).

Benefit to Fedora

Remove support for obsolete configuration files for a privileged component of the OS and align Atomic Desktops will other ostree/bootable container images.

Scope

• Proposal owners: Will exclude polkit-pkla-compat from Atomic Desktops

• Other developers: Convert remaining pkla rules to the new format as needed for the remaining packages.

• Release engineering: N/A

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with the Fedora Strategy: General improvement for Atomic Desktops

Upgrade/compatibility impact

Systems that still rely on pkla rules will need to have those rules converted to the new polkit format.

Early Testing (Optional)

Do you require 'QA Blueprint' support? N

How To Test

Remove the polkit-pkla-compat locally or from the container image. Verify normal operation of privileged operations.

User Experience

Nothing specific to note.

Dependencies

None.

Contingency Plan

• Contingency mechanism: (What to do? Who will do it?) Revert the change. The Atomic Desktops maintainers will do it.
• Contingency deadline: N/A (not a System Wide Change) but Beta/Final freeze
• Blocks release? N/A (not a System Wide Change) but No, can be easily reverted

Documentation

See release notes.

Release Notes

Support for the legacy pkla format for polkit rules has been removed from all Fedora Atomic Desktops. If you have applications that still rely on those rules, you can re-install the package (by overlaying it or by building your own container image).