Description of problem: Try start OpenVPN server SELinux is preventing /usr/sbin/openvpn from 'write' accesses on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that openvpn should be allowed write access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep openvpn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:openvpn_t:s0 Target Context unconfined_u:object_r:openvpn_etc_t:s0 Target Objects [ file ] Source openvpn Source Path /usr/sbin/openvpn Port <Unknown> Host (removed) Source RPM Packages openvpn-2.3.2-4.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-180.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.10-200.fc20.x86_64 #1 SMP Thu Aug 14 15:39:24 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-08-28 20:14:19 YEKT Last Seen 2014-08-28 20:15:44 YEKT Local ID bc2b96dc-db75-4d34-a8e5-e92d68289daf Raw Audit Messages type=AVC msg=audit(1409235344.925:526): avc: denied { write } for pid=5598 comm="openvpn" name="openvpn-status.log" dev="sda3" ino=154188 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file type=SYSCALL msg=audit(1409235344.925:526): arch=x86_64 syscall=access success=no exit=EACCES a0=7f11922d0708 a1=2 a2=7f118ebef768 a3=0 items=0 ppid=1 pid=5598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=openvpn exe=/usr/sbin/openvpn subj=system_u:system_r:openvpn_t:s0 key=(null) Hash: openvpn,openvpn_t,openvpn_etc_t,file,write Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.10-200.fc20.x86_64 type: libreport Potential duplicate: bug 1002240
Why isn't this file in /var/log/openvpn?
I see the file it tried to access was /var/log/openvpn-access.log, which keeps a status overview of all connected clients. This file not a generic log file, but a file which openvpn updates regularly. Thus, this information cannot and should not be in /var/log/openvpn. I've not checked F20, but in F19 I see these file contexts declared: /var/log/openvpn-status\.log.* regular file system_u:object_r:openvpn_status_t:s0 /var/log/openvpn.* all files system_u:object_r:openvpn_var_log_t:s0 Based on the denial, I would recommend doing a 'restorecon -v /var/log/openvpn-status.log' first. To ensure the file context is correct. The denial says: scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file Which indicates that the openvpn-status.log have openvpn_etc_t instead of openvpn_status_t.
It looks like the file was in /etc at one point, and mv'd to /var/log?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Closing this one as there has been no response from the reporter, and it looks like a misconfiguration (wrong SELinux label on /var/log/openvpn-status.log).