I am running CentOS 6.4.
# cat /etc/centos-release
CentOS release 6.4 (Final)
After some updates, and a reboot, OpenVPN fails to start.
# service openvpn start
Starting openvpn: [FAILED]
/var/log/messages shows the following output on openvpn:
Nov 13 14:09:58 host kernel: type=1400 audit(1384344598.334:39761): avc: denied { read write } for pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
Nov 13 14:09:58 host openvpn[5777]: Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied
So apparently it's an SELinux problem.
I tried updating to openvpn-2.3.2-2.el6.x86_64 as per this bug report but no success. How should I debug / fix this?
EDIT: Thanks to both Iain and Jiri Xichtkniha. I changed to location of the log file in /etc/openvpn/server.conf to read
status /var/log/openvpn-status.log
which works with current policy.
Best Answer
A quick fix would be to change the log file to be
/var/log/openvpn-status.log
as the openvpn process is running asopenvpn_t
and it has permission within the policy to write to files labelledvar_log_t
(as /var/log should be).The default context for
/var/log/openvpn
isopenvpn_var_log_t
A longer process that requires slightly more management is to allow
openvpn_t
to write toopenvpn_var_log_t
which is the context that /var/log/openvpn gets e.g.which will generate a .pp file that you can install
Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.
For Jiri Xichtkniha
If you look at the generated .te file amongst other things it says
Note that
openvpn_var_log_t
isn't listed.