Thanks, so pkaction is not the correct tool to check the privs.
The 90-default-privs.rules seems to contain the right settings:
# cat /etc/polkit-1/rules.d/90-default-privs.rules|egrep -A1 "hibernate|suspend"
'org.freedesktop.login1.inhibit-handle-hibernate-key':
'no', 'yes', 'yes' ],
--
'org.freedesktop.login1.inhibit-handle-suspend-key':
'no', 'no', 'no' ],
--
'org.freedesktop.login1.hibernate-multiple-sessions':
'no', 'no', 'no' ],
--
'org.freedesktop.login1.suspend-ignore-inhibit':
'no', 'no', 'no' ],
--
'org.libvirt.api.domain.suspend':
'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
--
'org.freedesktop.upower.hibernate':
'no', 'no', 'no' ],
--
'org.freedesktop.upower.suspend':
'no', 'no', 'no' ],
--
'org.freedesktop.login1.suspend':
'no', 'no', 'no' ],
--
'org.freedesktop.login1.suspend-multiple-sessions':
'no', 'no', 'no' ],
--
'org.libvirt.api.domain.hibernate':
'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
--
'org.freedesktop.login1.hibernate':
'no', 'no', 'no' ],
--
'org.freedesktop.login1.hibernate-ignore-inhibit':
'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
Anyhow the suspend button is still visible so there seem to be another config that overrides the polkit settings?
Maybe somethings wrong with /etc/sysconfig/security ?
# cat /etc/sysconfig/security
## Path: System/Security/Permissions
## Description: Configuration of permissions on the system
## Type: string
## Default: "easy local"
#
# Permission settings to use. By default 'easy', 'secure' and
# 'paranoid' exist. You may define your own though.
#
PERMISSION_SECURITY="easy local"
## Description: Use filesystem capabilities for more finegrained permission handling
## Type: yesno
## Default: "yes"
#
# Flag whether to use filesystem capabilities for finegrained
# access control (compared to setuid) or not.
#
PERMISSION_FSCAPS=""
## Path: System/Security/PolicyKit
## Description: Configuration of default PolicyKit privileges
## Type: list(set,warn,no)
## Default: set
## Config: set_polkit_default_privs
#
# set_polkit_default_privs can check PolicyKit default privileges.
# Setting this variable to "set" will change privileges that don't match the
# default. Setting to "warn" only prints a warning and "no" will
# disable this feature.
#
# Defaults to "set" if not specified
#
CHECK_POLKIT_PRIVS="set"
## Type: string
## Default: "standard"
## Config: set_polkit_default_privs
#
# SUSE ships with two sets of default privilege settings. These are
# "standard" and "restrictive".
#
# Examples: "standard", "restrictive foo bar"
#
# If not set the value depends on the setting of
# PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
# 'paranoid' the value will be 'restrictive', otherwise 'standard'.
#
# The 'local' file is always evaluated and takes precedence over all
# other files.
#
POLKIT_DEFAULT_PRIVS=""
## Type: list(yes,yast,no)
## Default: yes
#
# When working with packages and installation sources, check keys
# and signatures: yes = in YaST and ZENWorks, yast = in YaST, no =
# no checking.
#
CHECK_SIGNATURES="yes"
or /etc/sysconfig/displaymanager ?
# cat /etc/sysconfig/displaymanager
## Path: Desktop/Display manager
## Type: string(Xorg)
## Default: "Xorg"
#
DISPLAYMANAGER_XSERVER="Xorg"
## Path: Desktop/Display manager
## Description: settings to generate a proper displaymanager config
## Type: string(kdm,xdm,gdm,wdm,entrance,console,lightdm,sddm)
## Default: ""
#
# Here you can set the default Display manager (kdm/xdm/gdm/wdm/entrance/console).
# all changes in this file require a restart of the displaymanager
#
DISPLAYMANAGER="sddm"
## Path: Desktop/Display manager
## Description: settings to generate a proper displaymanager config
## Type: yesno
## Default: no
#
# Allow remote access (XDMCP) to your display manager (xdm/kdm/gdm). Please note
# that a modified kdm or xdm configuration, e.g. by KDE control center
# will not be changed. For gdm, values will be updated after change.
# XDMCP service should run only on trusted networks and you have to disable
# firewall for interfaces, where you want to provide this service.
#
DISPLAYMANAGER_REMOTE_ACCESS="no"
## Type: yesno
## Default: no
#
# Allow remote access of the user root to your display manager. Note
# that root can never login if DISPLAYMANAGER_SHUTDOWN is "auto" and
# System/Security/Permissions/PERMISSION_SECURITY is "paranoid"
#
DISPLAYMANAGER_ROOT_LOGIN_REMOTE="no"
## Type: yesno
## Default: yes
#
# Let the displaymanager start a local Xserver.
# Set to "no" for remote-access only.
# Set to "no" on architectures without any Xserver (e.g. s390/s390x).
#
DISPLAYMANAGER_STARTS_XSERVER="yes"
## Type: yesno
## Default: no
#
# TCP port 6000 of Xserver. When set to "no" (default) Xserver is
# started with "-nolisten tcp". Only set this to "yes" if you really
# need to. Remote X service should run only on trusted networks and
# you have to disable firewall for interfaces, where you want to
# provide this service. Use ssh X11 port forwarding whenever possible.
#
DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN="no"
## Type: string
## Default:
#
# Define the user whom should get logged in without request. If string
# is empty, display standard login dialog.
#
DISPLAYMANAGER_AUTOLOGIN="terminal"
## Type: yesno
## Default: no
#
# Allow all users to login without password, but ask for the user, if
# DISPLAYMANAGER_AUTOLOGIN is empty.
#
DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
## Type: yesno
## Default: no
#
# Display a combobox for Active Directory domains.
#
DISPLAYMANAGER_AD_INTEGRATION="no"
## Type: list(root,all,none,auto)
## Default: auto
#
# Determine who will be able to shutdown or reboot the system in kdm. Valid
# values are: "root" (only root can shutdown), "all" (everybody can shutdown),
# "none" (nobody can shutdown from displaymanager), "auto" (follow
# System/Security/Permissions/PERMISSION_SECURITY to decide: "easy local" is
# equal to "all", everything else is equal to "root"). gdm respects the
# PolicyKit settings for ConsoleKit. Shutdown configuration can be done via
# the polkit-default-privs mechanism.
#
DISPLAYMANAGER_SHUTDOWN="none"