Hi!
I am trying to add a VPN configuration to NetworkManager on a basically headless host. (It does have a GUI which I can access if I really need to, but that’s beyond the point.)
The proper way to do this is:
nmcli connection import type openvpn file myvpnconfig.ovpn
(without sudo!).
Yet when logged in via ssh, I get:
Error: Failed to add 'myvpnconfig' connection: Insufficient privileges
journalctrl -ex reports nothing more (even in nmcli log DEBUG mode), except for naming the action:
NetworkManager[791]: <info> [1591696744.4759] audit: op="connection-add" pid=7709 uid=1000 result="fail" reason="Insufficient privileges"
I know from experience that this command worked from a terminal in the main display (i.e. not remotely) on F27.
After some digging, I found out that NetworkManager can report permissions (not “privileges”):
[user@host ~]$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network no
org.freedesktop.NetworkManager.enable-disable-wifi no
org.freedesktop.NetworkManager.enable-disable-wwan no
org.freedesktop.NetworkManager.enable-disable-wimax no
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control auth
org.freedesktop.NetworkManager.wifi.share.protected no
org.freedesktop.NetworkManager.wifi.share.open no
org.freedesktop.NetworkManager.settings.modify.system auth
org.freedesktop.NetworkManager.settings.modify.own auth
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics no
org.freedesktop.NetworkManager.enable-disable-connectivity-check no
org.freedesktop.NetworkManager.wifi.scan unknown
I also know from the above named experience, that these values differ if logged in on the display and remotely. I assume this difference is controlled in some way either by PolicyKit or PAM, but I find no documentation on this.
This brings on two questions:
- org.freedesktop.NetworkManager.settings.modify.system = auth should mean I should be prompted for authorization, and not refused, right? Or does “enable-disable-network” apply? And why does NM not say which applies?
- Assuming I need to change something to have the same permissions as on a display: What do I need to change? (I’m a trusted user - I trust myself - and I do not care to resort to sudo for something which should work without it. And please assume I cannot access the GUI without going to big pains, e.g. driving to the host’s site.)
I noted that /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy defines these permissions, with yet other semantics:
<action id="org.freedesktop.NetworkManager.settings.modify.system">
[...]
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
(This can also be queried with
pkaction --verbose --action-id nameofaction
)
The “allow_" and "auth_” directives are quite well documented for polkit, but, again, which one applies, and why am I right out denied to add a connection?
BTW, it took me some hours of googling to get to all this knowloedge so far, meaning to say it’s all not that well documented (and error/log messages are insufficient). And I’m a 25+ year home-Linux system admin. 
Thanks for any help,
Moritz
(Edited for formatting of included XML.)