The man page for polkitd says:
... Users or administrators should never need to start this daemon as it will be automatically started by dbus-daemon(1) ...
Therefore polkitd will be restarted when dbus service is restarted. Since this service interacts with the desktop manager it is safer to log out of the desktop session, stop xdm service, restart dbus and start xdm again.
The man page for polkitd says:
... Users or administrators should never need to start this daemon as it will be automatically started by dbus-daemon(1) ...
Therefore polkitd will be restarted when dbus service is restarted. Since this service interacts with the desktop manager it is safer to log out of the desktop session, stop xdm service, restart dbus and start xdm again.
When using systemd, restarting polkit is as easy as: sudo systemctl restart polkitd.service
The polkit package in Debian 11 and earlier does not support JavaScript-based rules. Debian maintains a patch that replaces the JS-format rules engine with the older .pkla configuration format.
In this format, the rules would look like this:
[Require authentication for shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
See pklocalauthority(8) for the format documentation.
The hanging GUI seems to come from a missing authentication agent. I use return polkit.Result.NO; and it works as expected. Also removed packages pkexec, policykit-1, and polkitd-pkla.
Update
Redhat have changed the RPM dependencies around Polkit. It can now be uninstalled from servers even if something had pulled it in during prior upgrades or installations.
I am now able to uninstall Polkit from servers that other folks built as of CentOS 7.6.
It is still required on Workstations and that appears to be appropriate for desktop usage.
After adding rules to /etc/polkit-1/rules.d/99-deny-all.rules you should restart polkit service by systemctl restart polkit. After this systemctl would execute any requests from non-priveleged user.