Description of problem:
From Colin in mga#18084, comment 11

Definitely a step forward, however, this is not secure.

The direct commands are just shortcuts to running "systemct poweroff|halt|reboot|shutdown". The fact that shortcuts disappear does not prevent the user from running the slightly longer versions.

Really all MSEC should do is adjust the policykit policy on these actions and always leave the links in place. They would either work or not according to user permissions while still allowing admins the luxury of the shortcuts (and bin vs. sbin is not the answer here to that!).

Draksec does something similar to allow configuration of which tools can run without root privs. It writes out an auth function and then the rules check the results of that function.

See the code in draksec binary (perl) for how/where it writes the polkit auth function and the file org.mageia.draksec.rules for how it's used. You could do something similar to control these commands in systemd (overriding the default policies).

This would be the correct way to solve this problem, removal of the symlinks is not enough.

From David, comment 13
If you do enhance this as Colin suggested, please ensure that it does still restore the symlinks if they're missing.