A quick fix would be to change the log file to be /var/log/openvpn-status.log as the openvpn process is running as openvpn_t and it has permission within the policy to write to files labelled var_log_t (as /var/log should be).
The default context for /var/log/openvpn is openvpn_var_log_t
matchpathcon /var/log/openvpn
/var/log/openvpn system_u:object_r:openvpn_var_log_t:s0
A longer process that requires slightly more management is to allow openvpn_t to write to openvpn_var_log_t which is the context that /var/log/openvpn gets e.g.
echo "host kernel: type=1400 audit(1384344598.334:39761): avc: denied { read write } for pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn
which will generate a .pp file that you can install
semodule -i localOpenVpn.pp
Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.
For Jiri Xichtkniha
If you look at the generated .te file amongst other things it says
#============= openvpn_t ==============
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t,
tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
cluster_var_run_t, root_t, cluster_conf_t
Note that openvpn_var_log_t isn't listed.
Best Answer
The problem seems to be the security context of some files.
The steps you need to take are:
check if trying to start the service generates AVC denials
it could be the case that there were no output. You could try to disable
dontauditrules temporarilycheck the permissions and security labels of the affected files and/or directories
query the current policy to see what is the expected security label
if the current security label and the expected security label don't match, restore it. Note that you can restore directories recursively
try again to start the service and repeat the steps if necessary