Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization
See links from https://community.openvpn.net/openvpn/ticket/918 for
more.
auth_pam is a common use case and capabilties for it should be allowed
by the .service file.
Fixes: #918
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -11,7 +11,7 @@ Type=notify |
11 | 11 |
PrivateTmp=true |
12 | 12 |
WorkingDirectory=/etc/openvpn/server |
13 | 13 |
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf |
14 |
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE |
|
14 |
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
|
15 | 15 |
LimitNPROC=10 |
16 | 16 |
DeviceAllow=/dev/null rw |
17 | 17 |
DeviceAllow=/dev/net/tun rw |