Description of problem: When openvpn is started using the openvpn-server@.service template, avc denials on status-server.log are generated: time->Sat Aug 5 07:27:34 2017 type=AVC msg=audit(1501910854.790:11955): avc: denied { write } for pid=1122 comm="openvpn" path="/run/openvpn-server/status-server.log" dev="tmpfs" ino=21852 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 This is due to the ExecStart line setting --status to %t/openvpn-server/status-%i.log, while the packaged selinux fcontext rules expect that file to be in /var/log/openvpn-status\.log.* I'm not quite sure whether the service file should be updated or whether the selinux rules should be updated, but I was ultimately able to fix this by running: semanage fcontext -a -t openvpn_status_t --ftype f /var/run/openvpn-server/openvpn-status\.log.* Version-Release number of selected component (if applicable): openvpn-2.4.3-1.fc25.i686 selinux-policy-targeted-3.13.1-225.19.fc25.noarch How reproducible: Always Steps to Reproduce: 1. Clone /lib/systemd/system/openvpn-server@.service into /etc/systemd/system/openvpn-server 2. Start openvpn 3. Observe avc denials: ausearch -m avc -c openvpn | grep status Actual results: Write is denied because selinux rules (see: semanage fcontext -l | grep openvpn) expect the openvpn-server.status file to be in /var/log rather than /run Expected results: No avc denial. Additional info:
Thanks for the report. This is really odd, I've not had any issues with this on other hosts. But I accept that this is an issue. I do claim that the --status file is not a log file. It shows the current status of the current status of the running OpenVPN instance, including the internal routing table. This file is also overwritten for each update, so it is not growing which is the most common scenario for log files. Hence, this file was located into the /run directory. The SELinux policy have not been updated (that's my fault for not keeping them closely enough into the loop). But I think the proper solution is to *add* /run/openvpn-server to carry the proper openvpn context. So I'll flip this bug to the selinux-policy package, for further discussion.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 - still the same.
(In reply to z117 from comment #3) > Fedora 27 - still the same. Please ignore, looks like my problem have slightly different source however very similar symptoms.
From BZ description, it looks like unit file specify to store log in /run. This is probably not good idea, it should be in /var/log/. Moving to openvpn component.
@Lukas, so how can we modify the SELinux policy then to accept that the *status* file can be accepted in /run? This is NOT a log file. How can we ship this in the OpenVPN package? In server configurations, the --status file contains a tiny report of which clients are currently connected. It is not a forever growing log which contains use full information whenever the system is rebooted. It is a current snapshot of the current situation, and the complete file is rewritten on each update. This is why this file belongs to a place outside of /var/log.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Thank you. In that case I label /run/openvpn-server/ as openvpn_var_run_t and it should fix the issue. Thanks, Lukas.
Thank you, Lukas, Please also add /run/openvpn-client as well. Client configurations may also use --status, but is not as widely used there as on the server side. However, the openvpn_var_run_t label is appropriate also for /run/openvpn-client.
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.