Polkit documentation suggests that <allow_any> applies to all
clients, but that's actually not the case.  allow_any,
allow_inactive, and allow_active are evaluated individually based
on whether the user is local and active (allow_active), local and
inactive (allow_inactive), and not local (allow_any).  Thus all
three allow options must be specified for any authorization other
than 'no'.