Hi, On Thu, Mar 31, 2022 at 03:20:59PM +0200, David Sommerseth wrote: > I've also run a few tests using an --up script which modified > /etc/resolv.conf, which also worked as expected with capabilities enabled.
This is actually an interesting corner case. As far as I understand,
--up runs before setuid, so that should always succeed - but if you do
that, cleaning up resolv.conf in --down won't succeed.
(But this is a totally independent problem of "network things without
root" that this patch addresses)
[..]
> SELinux on Fedora and RHEL (which Rocky Linux inherits) denies the
> OpenVPN process when run via systemd to use the SET_PCAP capability. In
> addition, the SELinux reference policy also denies all interactions with
> the Generic Netlink interfaces used by ovpn-dco. I will follow up this
> with the upstream SELinux reference policy maintainers.
This is a good find. Thanks :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
