Description of problem: The example config in /usr/share/docs/openvpn-2.3.2/sample-config-files/server.conf and the example config on the openvpn website have a 'status' entry that's not compatible with SELinux. However, no documentation explains this.
Version-Release number of selected component (if applicable): 2.3.2-4.el7
How reproducible: Always
Steps to Reproduce:
1. Install openvpn and copy example conf from either the docs or website.
2. Edit config to use valid certificates.
3. Attempt to start openvpn
Fails to start. SELinux catches attempt to write to /etc/openvpn/openvpn-status.log
openvpn should start.
SELinux expects the openvpn-status.log file to be in /var/log, which is a reasonable assumption; but, this is not documented anywhere.
The example conf in /usr/share/docs/openvpn-2.3.2/sample-config-files and the openvpn website use the line 'status openvpn-status.log' and there is nothing to suggest that this shouldn't be the line to use.
However, as the systemd unit in the openvpn package start the server with '--cd /etc/openvpn' then it tries to write the status to this location, which is not allowed by SELinux.
Would it not be a good idea to place a working sample conf in /etc/openvpn which is well documented? Maybe also include the fact that openvpn uses instantiated units and the conf file name should be the same as the systemd unit's instance identifier.