Disabling Menu Options in Rocky 8.6

Background: Knee deep in making a rocky8.6 deployment for our controlled environment when 9 came out. We aren’t in a position to dump our work and go to 9, so bear with us for a minute.

One of the things we want to control is our end-users ability to reset the network connection. I.E. they shouldn’t ever need to do that, so we don’t want to provide that as an option. There’s a menu in the desktop settings interface that allows a user to turn the network interface off (and back on). Is there a way to disable that button or even the networking menu entirely?

I tried to add “auth-polkit=root-only” to the networkmanager config, but that was not the magic sauce. Next ideas? Seems like something that doesn’t happen often but we need to somehow prevent users from turning off a network interface in our environment.

Thanks much

After some slight hacking on it, I found a way to disable the actions with polkit:

cat /etc/polkit-1/rules.d/11-disable-networkmanagerchanges.rules 
polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 )
    return polkit.Result.NO;

basically saying, if something in the desktop with NetworkManager in the name tries to auth, deny that action.

This may venture into the realm of Gnome functionality, but I wanna leave this open ended for any other ideas. I picked polkit because we have an existing rule that disables the power button.

But if they have access to terminal, they might be able to work around it.
It’s better to think in terms of what features are allowed, rather than what menus can be seen - more like group policy in Windows.

It would be interesting to look at it the other way round, ie how is it that a standard user can take the network down in the first place, possibly cutting off all other logged in users? If they’re only turning off their own network, let them get on with it.

I’m interested in the power button; does it mean they can still log off, but can’t shut down, and more importantly, in a default Rocky 8.6, can a standard user shut down the machine trahsing all other user’s work?

so we checked that beforehand. a normal user cannot do system commands i.e. ip link set down or shutdown. But they could do it via the menu options in gnome. My first thought is gnome somehow auths as a privileged user to run equivalent commands.

Knowing the gnome guys, they sure aren’t gonna treat that like a bug.

So we had an old polkit rule that says

if (action.id == "org.freedesktop.login1.reboot <OR OTHER REBOOT COMMANDS>)
  return polkit.Result.NO;

that effectively disabled the power button in the top bar and other menus. We had one that disabled suspend/hibernate in the same way because suspended machines were a pain to manage, they wouldn’t wake on ping or ssh sometimes. This also meant that locking the screen worked much more consistently, because the screen could lock and stay locked.

We previously didn’t use NetworkManager, and since it was disabled and gnome used networkmanager for changes, it wasn’t relevant. Now that NM is required, we found this original issue.

So it could be that something is elevating NetworkManager, and then you are unelevating it using polkit. I wonder if it could just not be elevated in the first place?

For the power button, are you saying the actual power button icon is still there, but they cna’t use it?

I think it’s a little more awkward than that. Gnome asks polkit “can this user do this” and polkit does the privilege check. Polkit normally would just say “yeah it’s fine”. By adding these rules, we change the polkit behavior for the NetworkManager to prevent changes. In the top bar menu, it’s grayed out. In the settings menu, the changes fail to take effect. I originally tried it with setting NetworkManager’s config to only accept changes from root, but that didn’t work, which is why i think Gnome is elevating privileges from the menu.

For the power button, it’s no longer in the menu, because when Gnome tries to load the button it checks the auth at that point, and the auth returns no. The icon is there in the top right, but it doesn’t give you the option to change power state, just lock state (and the logout action). I refer back to “Gnome is weird when you need enterprise level consistency”