Re: Lockdown nm-applet once again

[Dan Williams <dcbw redhat com>]

On Tue, 2010-01-12 at 10:30 +0100, van Schelve wrote:
> Hi.
> 
> In the archives I have found this entry:
> 
> http://www.mail-archive.com/networkmanager-list gnome org/msg13808.html
> 
> The question that was talked about there was how to lockdown the
> nm-applet.
> 
> I have successfully tried to lockdown the nm-applet by changing the dbus 
> config as descripted by Dan.
> 
> It looks like this would be a valid workaround. But I don't know if it is
> possible
> to have this config part in a seperate file? I didn't found anything
> useful in the 
> freedesktop dbus documentation for this question.

For enable networking and enable wifi/wwan, the best way would be with
PolicyKit.  Unfortunately that's not quite implemented yet and we'll
need to do a bit of work to PK-enable these properties since dbus-glib
doesn't have an easy way of intercepting property get/set calls.  But
that's the perfect future :)

> In general it would be very fine to configure the whole nm-applet in a
> single
> config file (f.e. /etc/NetworkManager/nm-applet.conf). Currently there are
> three
> steps to lockdown nm-applet:
> 
> 1. dbus config to disalbe the enable/disable Network option
> 2. gconf for notification behaviour
> 3. chmod, selinux, apparmor or whatever for nm-connection-editor

I believe that in general the two places for lockdown should be
PolicyKit (for NM in general) and GConf (for nm-applet specifically).
PolicyKit lets administrators lock down the behavior for *all* clients
generically (command-line, Gnome, KDE) while applet-specific behavior
gets locked down by that desktop environment's normal methods.

I'd hope that in this bright shiny future you'd never have to deal with
either (1) or (3) from your list above since it would already be handled
by PK and GConf/K-whatever.

Dan