By settinf Defaults role/type parameters, sudo starts asking for
password when called as root. It isn't clear why this happens, but
rollback that change. Instead, set ROLE/TYPE just for the rule for the
'qubes' group, which already has NOPASSWD option.
Fixes 3bcc1c3 "“sudo” must remove SELinux restrictions"
Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying. If SELinux is disabled, these fields are ignored.
Without this restriction system users can start processes with
root privileges:
$ sudo -u mail systemd-run --pipe -q id
uid=0(root) gid=0(root) groups=0(root)
In Red Hat based distributions, there is no pam-configs like
mechanism (authselect seems too heavy and is not configured by
default), so instead, we replace the PAM file.
Enable su for users in the qubes group, same as in the Debian
package.
