2213792 – SELinux "denied { dac_override }" when using the openvpn-plugin-auth-pam.so plugin.

Bug 2213792 - SELinux "denied { dac_override }" when using the openvpn-plugin-auth-pam.so plugin.

Summary: SELinux "denied { dac_override }" when using the openvpn-plugin-auth-pam.so ...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	openvpn
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	David Sommerseth
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-09 12:12 UTC by INVADE International Ltd.
Modified:	2023-06-09 12:12 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description INVADE International Ltd. 2023-06-09 12:12:01 UTC

Description of problem:
SELinux denies access when using the openvpn-plugin-auth-pam.so plugin.

type=AVC msg=audit(1594833831.007:12586): avc:  denied  { dac_override } for  pid=9748 comm="unix_chkpwd" capability=1  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability permissive=0


Version-Release number of selected component (if applicable):
openvpn-2.4.12-1.el8.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Build a Rocky Linux 8 system.
2. Enable the EPEL repo.
3. Install the OpenVPN package.
4. Configure the OpenVPN server to use the openvpn-plugin-auth-pam.so plugin.
5. Connect from a client and attempt to authenticate.

Actual results:
Authentication fails.

Expected results:
Authentication is successful.

Additional info:
Server configuration is as follows:
"#Tunnel Options
dev tun
group nobody
keepalive 10 60
local 172.16.0.2
persist-key
persist-tun
port 1194
proto udp4
script-security 2
topology net30
user nobody
verb 3

#Server Mode
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
server 192.168.2.0 255.255.255.0
username-as-common-name

#Client Mode

#Data Channel Encryption Options
auth SHA512
cipher AES-256-GCM

#TLS Mode Options
ca /etc/pki/openvpn/ca.crt
cert /etc/pki/openvpn/server.crt
dh /etc/pki/openvpn/dh.pem
key /etc/pki/openvpn/server.key
remote-cert-tls client
reneg-sec 0
tls-auth /etc/pki/openvpn/ta.key
tls-version-min 1.2

#SSL Library information

#Generate a random key

#TUN/TAP persistent tunnel config mode

#Windows-Specific Options

#PKCS#11 Standalone Options

#IPv6 Related Options"

To allow the authentication to work I have installed the following SELinux policy:
"
module invade-openvpn_pam 1.0;

require {
		type chkpwd_t;
		class capability dac_override;
}

#============= logrotate_t ==============
allow chkpwd_t self:capability dac_override;"

I also found someone else with the same problem in:
https://serverfault.com/questions/1025357/openvpn-with-pam-with-systemd-and-selinux

and they change the "CapabilityBoundingSet" systemd service values to allow the authentication to work.

Note You need to log in before you can comment on or make changes to this bug.