more verbose default policy denials

Related: https://pagure.io/koji/issue/3397

hub/kojixmlrpc.py

@@ -557,23 +557,23 @@ def load_plugins(opts):
 _default_policies = {
     'build_from_srpm': '''
             has_perm admin :: allow
-            all :: deny
+            all :: deny Only admin can do this via default policy
             ''',
     'build_from_repo_id': '''
             has_perm admin :: allow
-            all :: deny
+            all :: deny Only admin can do this via default policy
             ''',
     'build_from_scm': '''
             has_perm admin :: allow
             # match scm_type CVS CVS+SSH && match scm_host scm.example.com && match scm_repository /cvs/example :: allow
             # match scm_type GIT GIT+SSH && match scm_host git.example.org && match scm_repository /example :: allow
             # match scm_type SVN SVN+SSH && match scm_host svn.example.org && match scm_repository /users/* :: allow
-            all :: deny
+            all :: deny Only admin can do this via default policy
             ''',  # noqa: E501
     'package_list': '''
             has_perm admin :: allow
             has_perm tag :: allow
-            all :: deny
+            all :: deny Only admin/tag can do this via default policy
             ''',
     'channel': '''
             has req_channel :: req
@@ -582,7 +582,7 @@ _default_policies = {
             ''',
     'vm': '''
             has_perm admin win-admin :: allow
-            all :: deny
+            all :: deny Only admin/win-admin can do this via default policy
            ''',
     'cg_import': '''
             all :: allow