Compatibility of OpenVPN settings and SELinux
OpenVPN settings in gnome-control-center allows the user to pick certificates from any location, but SELinux blocks anything, but ~/.cert for OpenVPN.
The response from the security team is that they don't want to allow certificates from arbitrary locations to be used by privileged OpenVPN service, so the certificate files MUST be stored in ~/.cert.
Possible solutions:
- Copy the picked files to ~/.cert on the background once the OpenVPN settings are submitted. But unless we let the user know that it's being done, it's not very transparent to him/her. In the future he/she might override the certificate files with new ones and think it will renew certificates for the VPN service.
- We change the UI the way it looks like an import, so that the user knows the files are not only pointed to, but imported somewhere and simply overriding the original files won't work in the future.
- Some integration with Seahorse to properly import certificates before they're used by OpenVPN.
Edited by Jiri Eischmann