Issue #3339

NetworkManager-strongswan is missing a dbus configuration file on openSUSE

Added by Johannes Kastl about 1 year ago. Updated about 1 year ago.

networkmanager (charon-nm)
Affected version:


The strongswan NetworkManager plugin is missing a configuration file for dbus, after this is created the connection works.

Without the file this error is shown in the log files:

Feb 11 20:01:23 foo charon-nm[9784]: Failed to initialize a plugin instance: Connection ":1.148" is not allowed to own the service "org.freedesktop.NetworkManager.strongswan" due to security policies in the configuration file

Once I created the file /etc/dbus-1/system.d/nm-strongswan-service.conf containing the following lines, everything works smoothly:

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" 
        <policy user="root">
                <allow own_prefix="org.freedesktop.NetworkManager.strongswan"/>
                <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
        <policy context="default">
                <deny own_prefix="org.freedesktop.NetworkManager.strongswan"/>
                <deny send_destination="org.freedesktop.NetworkManager.strongswan"/>

I attached the file to this issue.

If prepared a fixed package for openSUSE (, but of course we would like to have this fixed upstream.

Here some details on my system:
openSUSE Tumbleweed with Plasma Desktop

Following packages are installed:


If more details are needed, please reach out to me.

Kind Regards,

nm-strongswan-service.conf (518 Bytes) nm-strongswan-service.conf configuration file needed to fix the error Johannes Kastl, 13.02.2020 17:17

Associated revisions

Revision cfed3a87 (diff)
Added by Tobias Brunner about 1 year ago

charon-nm: Use better default directory for D-Bus policy file

Also makes it configurable via configure script. Depending on `$datadir` is
not ideal as package maintainers might set that to a custom value. Depending
on `$datarootdir` might have been better, the default if pkg-config fails is
now based on that.

References #3339.


#1 Updated by Tobias Brunner about 1 year ago

  • Status changed from New to Feedback

Such a file already exists and is installed in <prefix>/share/dbus-1/system.d, not in /etc/dbus-1/system.d anymore since 9b0cc5c5cbf4 (included in 5.8.2), as that's apparently not recommended with newer D-Bus versions. It's possible the package maintainer didn't notice this change and forgot to package the file in the new location.

Edit: Note that the service file shouldn't be shipped with the NM plugin (GUI built from separate sources in source:src/frontends/gnome, probably shipped in the NetworkManager-strongswan package), but the actual D-Bus service (charon-nm daemon, built from the regular sources, source:src/charon-nm, and probably shipped in the strongswan-nm package).

#2 Updated by Tobias Brunner about 1 year ago

  • Tracker changed from Issue to Bug
  • Target version set to 5.8.3

OK, I see what the problem is. We actually install the file in $(datadir)/dbus-1/system.d, where $datadir defaults to $(prefix)/share. Unfortunately, the package maintainer set $datadir to $(prefix)/share/strongswan (see strongswan.spec), so that won't work. I guess we better use $(prefix)/share directly here or try to find the correct path via pkg-config.

I've pushed a possible fix to the 3339-nm-service-conf branch.

#3 Updated by Tobias Brunner about 1 year ago

My quick analysis above actually was wrong. It seems the variables at the top are only used to refer to dirs when collecting files, not to set them (at least not all of them).

Instead, the problem could be this part of the spec file:

%files ipsec
%if %{with systemd}

The D-Bus policy file of the NM service is made dependent on the systemd variable and put into the strongswan-ipsec package, even though there is no relation to systemd or the regular IKE daemon(s). Instead, it should be put in the strongswan-nm package (i.e. should be listed in the %files nm section). As a workaround, you could probably just install the strongswan-ipsec package to get the policy file.

#4 Updated by Johannes Kastl about 1 year ago

Hi Tobias,

yes, you are right, this was a simple packaging issue, fixed in

Sorry for the noise.

Kind Regards,

#5 Updated by Tobias Brunner about 1 year ago

  • Tracker changed from Bug to Issue
  • Subject changed from NetworkManager-strongswan is missing a dbus configuration file to NetworkManager-strongswan is missing a dbus configuration file on openSUSE
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Target version deleted (5.8.3)
  • Resolution set to Fixed

Also available in: Atom PDF