On Thu, 2014-12-18 at 11:44 +0100, Peter Magnusson wrote: > Hi Dan, > > Thank you for the reply! This sounds like a good solution to me, > unfortunately we are indeed using Gnome Shell UI so that would cause a > problem. > > So what you are saying is that right now there is no way to achieve > this while using gnome shell ?
There might be something we can do in NM itself though, given the way the shell and most other clients create new connections. But either way, best thing to do would be to file a bug at http://bugzilla.redhat.com against RHEL7 and assign to the NetworkManager component so it doesn't get lost. Does that sound OK? Thanks! Dan > > On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams <d...@redhat.com> wrote: > > On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: > >> Im having some problems with permissions on NetworkManager. We are in > >> the process of migrating our clients from RHEL 6.6 to RHEL 7. > >> The clients connect to our wireless network using eap-tls, we provide > >> the configuration,certificate and keys for this from our central > >> configurationserver so that the connection is transparent to the user. > >> > >> In RHEL6.6 the password for the privatekey(pkcs12 used for > >> authentication) was not visible to the users only to administrators. > >> This was achieved by setting the connection as "system wide" in which > >> case the configfile was stored under /etc/sysconfig/network-scripts > >> and only accessible by root. > >> > >> In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild > >> from git) we can still limit the permissions to NM config using polkit > >> but when doing this we also limit the possiblity for the user to add > >> new wifi-networks. > >> > >> So what i would like to achieve is to limit access to existing > >> connections (or connections not added by user) but i still want the > >> users to be able to add new wificonnections. Is this possible ? > > > > I looked into this yesterday, and I think the way forward here is to > > restrict the user's permissions for "modify.system", but allow them > > permissions for "modify.own" (own == self, not possession). This will > > prevent the user from being able to change any connection that is > > in /etc and does not have specific permissions. But it allows the user > > to create new connections that are restricted to that user only. > > > > There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 > > it doesn't set the necessary flags to create these user-specific > > connections when the modify.system permission is denied. We can work on > > fixing that though. > > > > Do you think this solution would work for you? > > > > Dan > > _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
