Description of problem: SELinux denies access when using the openvpn-plugin-auth-pam.so plugin. type=AVC msg=audit(1594833831.007:12586): avc: denied { dac_override } for pid=9748 comm="unix_chkpwd" capability=1 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=0 Version-Release number of selected component (if applicable): openvpn-2.4.12-1.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Build a Rocky Linux 8 system. 2. Enable the EPEL repo. 3. Install the OpenVPN package. 4. Configure the OpenVPN server to use the openvpn-plugin-auth-pam.so plugin. 5. Connect from a client and attempt to authenticate. Actual results: Authentication fails. Expected results: Authentication is successful. Additional info: Server configuration is as follows: "#Tunnel Options dev tun group nobody keepalive 10 60 local 172.16.0.2 persist-key persist-tun port 1194 proto udp4 script-security 2 topology net30 user nobody verb 3 #Server Mode plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login server 192.168.2.0 255.255.255.0 username-as-common-name #Client Mode #Data Channel Encryption Options auth SHA512 cipher AES-256-GCM #TLS Mode Options ca /etc/pki/openvpn/ca.crt cert /etc/pki/openvpn/server.crt dh /etc/pki/openvpn/dh.pem key /etc/pki/openvpn/server.key remote-cert-tls client reneg-sec 0 tls-auth /etc/pki/openvpn/ta.key tls-version-min 1.2 #SSL Library information #Generate a random key #TUN/TAP persistent tunnel config mode #Windows-Specific Options #PKCS#11 Standalone Options #IPv6 Related Options" To allow the authentication to work I have installed the following SELinux policy: " module invade-openvpn_pam 1.0; require { type chkpwd_t; class capability dac_override; } #============= logrotate_t ============== allow chkpwd_t self:capability dac_override;" I also found someone else with the same problem in: https://serverfault.com/questions/1025357/openvpn-with-pam-with-systemd-and-selinux and they change the "CapabilityBoundingSet" systemd service values to allow the authentication to work.