Bug 1123652 - Update sample-config to use/document proper directories
Summary: Update sample-config to use/document proper directories
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: openvpn
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-27 18:24 UTC by Gareth Williams
Modified: 2018-02-16 20:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Gareth Williams 2014-07-27 18:24:42 UTC
Description of problem: The example config in /usr/share/docs/openvpn-2.3.2/sample-config-files/server.conf and the example config on the openvpn website have a 'status' entry that's not compatible with SELinux.  However, no documentation explains this.


Version-Release number of selected component (if applicable): 2.3.2-4.el7


How reproducible: Always


Steps to Reproduce:
1.  Install openvpn and copy example conf from either the docs or website.
2.  Edit config to use valid certificates.
3.  Attempt to start openvpn

Actual results:

Fails to start. SELinux catches attempt to write to /etc/openvpn/openvpn-status.log

Expected results:

openvpn should start.

Additional info:

SELinux expects the openvpn-status.log file to be in /var/log, which is a reasonable assumption; but, this is not documented anywhere.

The example conf in /usr/share/docs/openvpn-2.3.2/sample-config-files and the openvpn website use the line 'status openvpn-status.log' and there is nothing to suggest that this shouldn't be the line to use.

However, as the systemd unit in the openvpn package start the server with '--cd /etc/openvpn' then it tries to write the status to this location, which is not allowed by SELinux.

Would it not be a good idea to place a working sample conf in /etc/openvpn which is well documented?  Maybe also include the fact that openvpn uses instantiated units and the conf file name should be the same as the systemd unit's instance identifier.


Note You need to log in before you can comment on or make changes to this bug.