Bug 1921082

Summary:	nmcli connection reload not working for regular user
Product:	Red Hat Enterprise Linux 8	Reporter:	Filip Pokryvka <fpokryvk>
Component:	NetworkManager	Assignee:	NetworkManager Development Team <nm-team>
Status:	CLOSED NOTABUG	QA Contact:	Desktop QE <desktop-qa-list>
Severity:	unspecified	Docs Contact:
Priority:	low
Version:	8.4	CC:	acardace, atragler, bgalvani, ferferna, fge, lrintel, rkhan, sukulkar, thaller, till
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-17 00:13:33 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Filip Pokryvka 2021-01-27 13:40:22 UTC

Description of problem:
`nmcli con reload` does not work for a non-root user.

Version-Release number of selected component (if applicable):
1.30.0-0.7.el8

How reproducible:
always

Steps to Reproduce:
1. assure non-root user has reload permission in `nmcli general permission`
2. nmcli connection reload (as non-root user)

Actual results:
Error: failed to reload connections: access denied.

Expected results:
It should work, not only for root.

Additional info:
# nmcli general permissions
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.checkpoint-rollback                yes   
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes   
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-statistics          yes   
org.freedesktop.NetworkManager.enable-disable-wifi                yes   
org.freedesktop.NetworkManager.enable-disable-wimax               yes   
org.freedesktop.NetworkManager.enable-disable-wwan                yes   
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.reload                             yes   
org.freedesktop.NetworkManager.settings.modify.global-dns         yes   
org.freedesktop.NetworkManager.settings.modify.hostname           yes   
org.freedesktop.NetworkManager.settings.modify.own                yes   
org.freedesktop.NetworkManager.settings.modify.system             yes   
org.freedesktop.NetworkManager.sleep-wake                         yes   
org.freedesktop.NetworkManager.wifi.scan                          yes   
org.freedesktop.NetworkManager.wifi.share.open                    yes   
org.freedesktop.NetworkManager.wifi.share.protected               yes

Comment 2 Beniamino Galvani 2021-11-16 08:44:21 UTC

Currently NetworkManager requires that connection files are owned by
root and are not readable by other users (at least for those is
keyfile format). The permission to reload connections is restricted to
root via a D-Bus policy file and can't be configured at the moment.

It doesn't seem useful if non-root users are allowed to reload files
they can't write or even read.

Note that the "Reload" permission found in the nmcli permissions is
something different, it's a permission to reload the daemon
configuration.

  $ pkaction -v -a org.freedesktop.NetworkManager.reload
  org.freedesktop.NetworkManager.reload:
    description:       Reload NetworkManager configuration
    message:           System policy prevents reloading NetworkManager