Bug 2213792

Summary: SELinux "denied { dac_override }" when using the openvpn-plugin-auth-pam.so plugin.
Product: [Fedora] Fedora EPEL Reporter: INVADE International Ltd. <third.line>
Component: openvpnAssignee: David Sommerseth <dazo>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: dazo, huzaifas, klember, steve, third.line
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description INVADE International Ltd. 2023-06-09 12:12:01 UTC 
Description of problem:
SELinux denies access when using the openvpn-plugin-auth-pam.so plugin.

type=AVC msg=audit(1594833831.007:12586): avc:  denied  { dac_override } for  pid=9748 comm="unix_chkpwd" capability=1  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=0


Version-Release number of selected component (if applicable):
openvpn-2.4.12-1.el8.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Build a Rocky Linux 8 system.
2. Enable the EPEL repo.
3. Install the OpenVPN package.
4. Configure the OpenVPN server to use the openvpn-plugin-auth-pam.so plugin.
5. Connect from a client and attempt to authenticate.

Actual results:
Authentication fails.

Expected results:
Authentication is successful.

Additional info:
Server configuration is as follows:
"#Tunnel Options
dev tun
group nobody
keepalive 10 60
local 172.16.0.2
persist-key
persist-tun
port 1194
proto udp4
script-security 2
topology net30
user nobody
verb 3

#Server Mode
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
server 192.168.2.0 255.255.255.0
username-as-common-name

#Client Mode

#Data Channel Encryption Options
auth SHA512
cipher AES-256-GCM

#TLS Mode Options
ca /etc/pki/openvpn/ca.crt
cert /etc/pki/openvpn/server.crt
dh /etc/pki/openvpn/dh.pem
key /etc/pki/openvpn/server.key
remote-cert-tls client
reneg-sec 0
tls-auth /etc/pki/openvpn/ta.key
tls-version-min 1.2

#SSL Library information

#Generate a random key

#TUN/TAP persistent tunnel config mode

#Windows-Specific Options

#PKCS#11 Standalone Options

#IPv6 Related Options"

To allow the authentication to work I have installed the following SELinux policy:
"
module invade-openvpn_pam 1.0;

require {
		type chkpwd_t;
		class capability dac_override;
}

#============= logrotate_t ==============
allow chkpwd_t self:capability dac_override;"

I also found someone else with the same problem in:
https://serverfault.com/questions/1025357/openvpn-with-pam-with-systemd-and-selinux

and they change the "CapabilityBoundingSet" systemd service values to allow the authentication to work.