Passing user-supplied cerificate file names to charon-nm is problematic
The NetworkManager-strongswan GUI lets the user select a server certificate file, which is then passed to charon-nm by pathname. This is problematic for two reasons:
- Files are not the only possible source of certificate material on the system, and with proliferation of software certificate stores, hardware tokens, etc., it may become the least conventional or convenient.
- charon-nm may be subject to the system's security confinement policies and unable to access any arbitrary file path that the user may supply. On Fedora/RHEL/CentOS, charon-nm runs with reduced privileges under SELinux confinement, so an attempt to access a certificate file that's inaccessible to UIDs other than the certificate supplier by plain old user/group DAC permissions results in a SELinux AVC denial.
The currently preferred way to handle certificates in NetworkManager is PKCS#11. The GUI should let the user pick a certificate from a PKCS#11 source using a Gcr widget, then pass the PKCS11 URI to charon-nm which should use strongSwan's PKCS#11 infrastructure to extract it. Gcr support may currently be incomplete; see https://bugzilla.gnome.org/show_bug.cgi?id=679860.