Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1123652 - Update sample-config to use/document proper directories
Summary: Update sample-config to use/document proper directories
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: openvpn
Version: epel7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-27 18:24 UTC by Gareth Williams
Modified: 2018-02-16 20:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)

Description Gareth Williams 2014-07-27 18:24:42 UTC
Description of problem: The example config in /usr/share/docs/openvpn-2.3.2/sample-config-files/server.conf and the example config on the openvpn website have a 'status' entry that's not compatible with SELinux.  However, no documentation explains this.

Version-Release number of selected component (if applicable): 2.3.2-4.el7

How reproducible: Always

Steps to Reproduce:
1.  Install openvpn and copy example conf from either the docs or website.
2.  Edit config to use valid certificates.
3.  Attempt to start openvpn

Actual results:

Fails to start. SELinux catches attempt to write to /etc/openvpn/openvpn-status.log

Expected results:

openvpn should start.

Additional info:

SELinux expects the openvpn-status.log file to be in /var/log, which is a reasonable assumption; but, this is not documented anywhere.

The example conf in /usr/share/docs/openvpn-2.3.2/sample-config-files and the openvpn website use the line 'status openvpn-status.log' and there is nothing to suggest that this shouldn't be the line to use.

However, as the systemd unit in the openvpn package start the server with '--cd /etc/openvpn' then it tries to write the status to this location, which is not allowed by SELinux.

Would it not be a good idea to place a working sample conf in /etc/openvpn which is well documented?  Maybe also include the fact that openvpn uses instantiated units and the conf file name should be the same as the systemd unit's instance identifier.

Note You need to log in before you can comment on or make changes to this bug.