New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NM Gnome applet sends path to charon, which might be unreachable to system daemon #739
Comments
Thanks for the report. There is a duplicate issue in the old bug tracker. I think passing the certificate/key (the CA/gateway cert too) from the auth dialog might be possible, but it would require some major refactoring in the code of that and that of charon-nm for which I currently don't have the resources. Authentication via ssh-agent is probably also not possible, right? We pass the |
I just learned from NM guys on IRC, that ~/.cert directory has different SELinux context. It should be available to charon-nm if user saves certificates inside that directory. chmod +x $HOME might be needed. |
I see, great. So should we close this? |
Please wait, I were not able to confirm it works yet. Do you know any strongswan server I could use for testing, without configuring my own service somewhere? |
You don't really need an actual server to test this as the inability to read the certificate/key will cause an error before initiating the connection. |
Fedora, since strongswan version 5.9.0-4 (issue) builds strongstan with I do not think we should close this issue - I would make it a starting point for implementation to allow files to be passed at runtime. @tobiasbrunner what |
Oh, okay. At least for readable cert stored in ~/.cert/, no failure is reported. I had to enable +x on my home. I had to call
But it seems to me build without |
Unless it was patched out, it should keep those (plugins can request capabilities they require and these are then not dropped).
They are passed at runtime either way, just either as data blob or as file path.
Don't have a link except the source. |
System (please complete the following information):
Describe the bug
Fedora has SELinux security layer enabled by default. It prevents even services running under root from some privileges, which root usually has. For example it prevents system services to read user directories, when they have no need for that.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Client part of the UI plugin would read certificate file as it is. It would send the contents to charon-nm service over d-bus. It would not have to read any file from external directories, such as /home. Form x509 from certificate data, not file path. Both user and charon would access only data allowed by them.
Logs/Backtraces
No log, just bug #1932473 report on Red Hat bugzilla.
Additional context
Some discussion were done about it on: https://ask.fedoraproject.org/t/cannot-connect-to-ikev2-vpn-on-fedora-33-no-trusted-rsa-public-key-found/
The text was updated successfully, but these errors were encountered: