passwordless-root: policykit: restrict access to group qubes

Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)

passwordless-root/polkit-1-qubes-allow-all.pkla

@@ -1,5 +1,5 @@
 [Qubes allow all]
-Identity=*
+Identity=unix-group:qubes
 Action=*
 ResultAny=yes
 ResultInactive=yes