[rpms/NetworkManager] f44: Fix strongSwan VPN connection bug (rhbz #2461399)

[Christian Krause <chkr@fedoraproject.org>]

A new commit has been pushed.

Repo   : rpms/NetworkManager
Branch : f44
Commit : 8d1b20590a1364534d2f352b5e34bdd8810be9df
Author : Christian Krause <chkr@fedoraproject.org>
Date   : 2026-06-12T00:02:02+02:00
Stats  : +46/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/NetworkManager/c/8d1b20590a1364534d2f352b5e34bdd8810be9df?branch=f44

Log:
Fix strongSwan VPN connection bug (rhbz #2461399)

---
diff --git a/0001-libnm-use-correct-directory-permissions-in-nm_utils_.patch b/0001-libnm-use-correct-directory-permissions-in-nm_utils_.patch
new file mode 100644
index 0000000..83b4477
--- /dev/null
+++ b/0001-libnm-use-correct-directory-permissions-in-nm_utils_.patch
@@ -0,0 +1,39 @@
+From d86050f6d4c5f82772cff6967a31cb8779c06298 Mon Sep 17 00:00:00 2001
+From: Christian Krause <chkr@plauener.de>
+Date: Tue, 2 Jun 2026 22:28:51 +0200
+Subject: [PATCH] libnm: use correct directory permissions in
+ nm_utils_copy_cert_as_user
+
+This patch fixes https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/work_items/1957.
+
+At the moment, libnm creates the temporary certificate directory
+with permission 0600.
+
+Some NM plugins drop most of their capabilities (including CAP_DAC_OVERRIDE)
+on startup and so, even when running as root, they can't create files
+in that directory (since the execute permission is missing).
+
+This patch sets the permission to 0700 to fix the problem.
+
+Fixes: 1a52bbe7c9dc ('libnm: add function to copy a certificate or key as user')
+(cherry picked from commit 0d0b03e7d3f3082540a0dbc7ec05de835b92563d)
+---
+ src/libnm-core-impl/nm-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libnm-core-impl/nm-utils.c b/src/libnm-core-impl/nm-utils.c
+index 1bf00831f9..3624a25764 100644
+--- a/src/libnm-core-impl/nm-utils.c
++++ b/src/libnm-core-impl/nm-utils.c
+@@ -6427,7 +6427,7 @@ nm_utils_copy_cert_as_user(const char *filename, const char *user, GError **erro
+     nm_str_buf_destroy(&info.output_buffer);
+     nm_str_buf_destroy(&info.error_buffer);
+ 
+-    mkdir(RUN_CERT_DIR, 0600);
++    mkdir(RUN_CERT_DIR, 0700);
+     fd = mkstemp(dst_path);
+     if (fd < 0) {
+         g_set_error_literal(error,
+-- 
+2.54.0
+

diff --git a/NetworkManager.spec b/NetworkManager.spec
index 94a1e44..6b8407d 100644
--- a/NetworkManager.spec
+++ b/NetworkManager.spec
@@ -6,7 +6,7 @@ Group:   System Environment/Base
 
 Epoch:   1
 Version: 1.56.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 ###############################################################################
 
@@ -174,6 +174,9 @@ Source9: readme-ifcfg-rh-migrated.txt
 
 Patch1: 0001-pacrunner-don-t-pass-DNS-search-domains-to-PAC-runne.patch
 
+# Keep until next rebase, https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/d86050f6d4c5f82772cff6967a31cb8779c06298
+Patch2: 0001-libnm-use-correct-directory-permissions-in-nm_utils_.patch
+
 Requires(post): systemd
 Requires(post): systemd-udev
 Requires(post): /usr/sbin/update-alternatives
@@ -1070,6 +1073,9 @@ fi
 
 
 %changelog
+* Thu Jun 11 2026 Christian Krause <chkr@fedoraproject.org> - 1:1.56.1-2
+- Apply upstream patch to fix strongSwan VPN connection problem (rhbz#2461399)
+
 * Fri May 15 2026 Íñigo Huguet <ihuguet@riseup.net> - 1:1.56.1-1
 - Update to 1.56.1 release
 - Don't send DNS domains as proxy domains for pacrunner (rhbz#2467851)