[SOLVED] nm-applet not authorized

Message

BurningMemory · Post by **BurningMemory** » Tue Apr 16, 2024 3:59 am

Hello there.

Here's an example of the message networkmanager sends:

localhost NetworkManager[5739]: <info>  [1713857929.6031] audit: op="device-disconnect" interface="enp10s0" ifindex=2 pid=11239 uid=1000 result="fail" reason="org.freedesktop.NetworkManager.network-control request failed: not authorized"

I've already tried two policies for polkit, as I still suspect the problem is related to it:

Code: Select all

polkit.addRule(function(action, subject) {
	var YES = polkit.Result.YES;
	var permission = {
		"org.freedesktop.NetworkManager.wifi.scan": YES,
		"org.freedesktop.NetworkManager.sleep-wake": YES,
		"org.freedesktop.NetworkManager.settings.modify.own": YES,
		"org.freedesktop.NetworkManager.settings.modify.hostname": YES,
		"org.freedesktop.NetworkManager.network-control": YES,
		"org.freedesktop.NetworkManager.enable-disable-wifi": YES,
		"org.freedesktop.NetworkManager.enable-disable-network": YES,
		"org.freedesktop.NetworkManager.enable-disable-connectivity-check": YES,
	};
	if (subject.isInGroup("wheel")) {
		return permission[action.id];
	}
});

and

Code: Select all

polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("plugdev")) {
        return polkit.Result.YES;
    }
});

Yes, my user is indeed in the plugdev group. Both policies didn't solve the problem, so maybe
it's not related to polkit at all, although I do not see any more issues in any log file or dmesg even.
SELinux was in permissive mode when the tests were performed. Also, nmtui does not work too.

alamahant · Post by **alamahant** » Tue Apr 16, 2024 3:02 pm

The problem is not NM.The problem is nm-applet that should run with elevated permissions.
Try adding your user to "wheel" group because of

Code: Select all

cat /etc/polkit-1/rules.d/55-allowing-all-actions.rules 
polkit.addRule (function (action, subject)
{
  if (subject.isInGroup ("wheel"))
  {
    return polkit.Result.YES;
  }
});

Or run nm-applet with sudo or as root.
Same goes with nmtui and nmcli also.

BurningMemory · Post by **BurningMemory** » Wed Apr 17, 2024 4:11 am

alamahant wrote:The problem is not NM.The problem is nm-applet that should run with elevated permissions.
Try adding your user to "wheel" group because

Thanks for the suggestions, though my user is already in the wheel group.
Also, I don't think running with elevated privs directly is a good idea.

BurningMemory · Post by **BurningMemory** » Sat May 04, 2024 3:12 am

Found out what the problem was. I had /proc mounted with the hidepid=2 fs option.
For some reason the system bus could not read /proc/{pid}/status directory when
trying to authorize usage. What a surprise, the problem turned out to be not with
polkit at all. Wonder if I should file a bug about this, because this is a security
measure after all.