Description of problem: openvpn client will not start due to selinux denials. problem seems to be with denials to write the pid to /var/run/openvpn. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-13.fc7 openvpn-2.1-0.19.rc4.fc7 How reproducible: always happens while selinux targeted policy is enforcing. Steps to Reproduce: 1. service openvpn start Actual results: openvpn client has problems writing to /var/run/openvpn due to selinux denial and openvpn exits. Expected results: openvpn client should write its pid to /var/run/openvpn and connect to the remote server. Additional info: restorecon -v /var/run/openvpn doesn't fix the problem. I used avcs and audit2allow to finally get it to run. The generated policy module is attached.
Created attachment 156670 [details] openvpn policy module
Added the following to selinux-policy-targeted-2.6.4-14 allow openvpn_t openvpn_var_run_t:dir { write search add_name }; Why does openvpn need to read homedir?
Created attachment 156836 [details] selinux policy module to allow openvpn to start
(In reply to comment #2) > Added the following to selinux-policy-targeted-2.6.4-14 > > allow openvpn_t openvpn_var_run_t:dir { write search add_name }; > > Why does openvpn need to read homedir? I'm not sure. I removed that and reloaded the new module and openvpn seems to start ok. I've attached the new module.
Just looking into another OpenVPN/SELinux problem (which may just be because my policy is out of date), and noticed this: > Why does openvpn need to read homedir? Is it because the OpenVPN configuration file references files (keys, certificates, etc.) in a home directory?
(In reply to comment #5) > Just looking into another OpenVPN/SELinux problem (which may just be because my > policy is out of date), and noticed this: > > > Why does openvpn need to read homedir? > > Is it because the OpenVPN configuration file references files (keys, > certificates, etc.) in a home directory? No, all the openvpn configuration stuff was where it was supposed to be (as desired by /etc/init.d/openvpn): /etc/openvpn. I used "sudo service openvpn ..." to start/stop openvpn.
Fixes for this should be available in selinux-policy-2.6.4-28
Closing as fixes are in the current release