A quick fix would be to change the log file to be /var/log/openvpn-status.log
as the openvpn process is running as openvpn_t
and it has permission within the policy to write to files labelled var_log_t
(as /var/log should be).
The default context for /var/log/openvpn
is openvpn_var_log_t
matchpathcon /var/log/openvpn
/var/log/openvpn system_u:object_r:openvpn_var_log_t:s0
A longer process that requires slightly more management is to allow openvpn_t
to write to openvpn_var_log_t
which is the context that /var/log/openvpn gets e.g.
echo "host kernel: type=1400 audit(1384344598.334:39761): avc: denied { read write } for pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn
which will generate a .pp file that you can install
semodule -i localOpenVpn.pp
Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.
For Jiri Xichtkniha
If you look at the generated .te file amongst other things it says
#============= openvpn_t ==============
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t,
tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
cluster_var_run_t, root_t, cluster_conf_t
Note that openvpn_var_log_t
isn't listed.
Best Answer
The problem seems to be the security context of some files.
The steps you need to take are:
check if trying to start the service generates AVC denials
it could be the case that there were no output. You could try to disable
dontaudit
rules temporarilycheck the permissions and security labels of the affected files and/or directories
query the current policy to see what is the expected security label
if the current security label and the expected security label don't match, restore it. Note that you can restore directories recursively
try again to start the service and repeat the steps if necessary