Bug 1123652

Summary: Update sample-config to use/document proper directories
Product: [Fedora] Fedora EPEL Reporter: Gareth Williams <gareth>
Component: openvpnAssignee: David Sommerseth <dazo>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: dazo, ego.cordatus, gwync, huzaifas, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gareth Williams 2014-07-27 18:24:42 UTC
Description of problem: The example config in /usr/share/docs/openvpn-2.3.2/sample-config-files/server.conf and the example config on the openvpn website have a 'status' entry that's not compatible with SELinux.  However, no documentation explains this.


Version-Release number of selected component (if applicable): 2.3.2-4.el7


How reproducible: Always


Steps to Reproduce:
1.  Install openvpn and copy example conf from either the docs or website.
2.  Edit config to use valid certificates.
3.  Attempt to start openvpn

Actual results:

Fails to start. SELinux catches attempt to write to /etc/openvpn/openvpn-status.log

Expected results:

openvpn should start.

Additional info:

SELinux expects the openvpn-status.log file to be in /var/log, which is a reasonable assumption; but, this is not documented anywhere.

The example conf in /usr/share/docs/openvpn-2.3.2/sample-config-files and the openvpn website use the line 'status openvpn-status.log' and there is nothing to suggest that this shouldn't be the line to use.

However, as the systemd unit in the openvpn package start the server with '--cd /etc/openvpn' then it tries to write the status to this location, which is not allowed by SELinux.

Would it not be a good idea to place a working sample conf in /etc/openvpn which is well documented?  Maybe also include the fact that openvpn uses instantiated units and the conf file name should be the same as the systemd unit's instance identifier.