Description of problem: Selinux is blocking startup of openvpn.. message in logs... Jun 14 21:44:36 malcolm setroubleshoot: SELinux is preventing /usr/sbin/openvpn (openvpn_t) "search" to /var/run/openvpn/server.pid (openvpn_var_run_t). For complete SELinux messages. run sealert -l cc8ca0d1-b321-41c3-879f-21d75cdc77ad seaudit... Source Context user_u:system_r:openvpn_t Target Context system_u:object_r:openvpn_var_run_t Target Objects /var/run/openvpn/server.pid [ dir ] Affected RPM Packages openvpn-2.1-0.19.rc4.fc7 [application] Policy RPM selinux-policy-2.6.4-13.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name malcolm.saafinternational.com Platform Linux malcolm.saafinternational.com 2.6.21-1.3149.fc7 #1 SMP Fri May 11 11:30:39 EDT 2007 x86_64 x86_64 Alert Count 4 First Seen Thu Jun 14 21:44:34 2007 Last Seen Thu Jun 14 21:48:27 2007 Local ID cc8ca0d1-b321-41c3-879f-21d75cdc77ad Line Numbers Raw Audit Messages avc: denied { search } for comm="openvpn" cwd="/etc/openvpn" dev=md1 egid=0 euid=0 exe="/usr/sbin/openvpn" exit=-13 fsgid=0 fsuid=0 gid=0 item=0 items=1 name="openvpn" obj=system_u:object_r:etc_t:s0 path="/var/run/openvpn/server.pid" pid=10145 scontext=user_u:system_r:openvpn_t:s0 sgid=0 subj=user_u:system_r:openvpn_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:openvpn_var_run_t:s0 tty=pts1 uid=0 Version-Release number of selected component (if applicable): 2.1-0.19.rc4.fc7 How reproducible: Always Steps to Reproduce: 1. use server.conf as in example 2. start openvpn 3. Actual results: openvpn fails to start Expected results: it should start Additional info:
Have you tried this recently (with updates installed)? That should work.
Created attachment 290159 [details] sealert output
See attachment of earlier comment: SELinux policy prevents openvpn startup script from writing to openvpn-status.log. RPMs of interest: libselinux-2.0.14-10.fc7 selinux-policy-targeted-2.6.4-61.fc7 selinux-policy-2.6.4-61.fc7 libselinux-python-2.0.14-10.fc7 selinux-policy-devel-2.6.4-61.fc7 libselinux-devel-2.0.14-10.fc7 openvpn-2.1-0.19.rc4.fc7
Hi, currently I have the following issue: my cert file is in ~/cert openvpn cannot read it, because it wants to "search" on /home (home_root_t) I assume that this access is unneccessary and blocked by selinux policy for a reason. Is there a fix?
The information we've requested above is required in order to review this problem report further and diagnose/fix the issue if it is still present. Since there have not been any updates to the report since thirty (30) days or more since we requested additional information, we're assuming the problem is either no longer present in the current Fedora release, or that there is no longer any interest in tracking the problem. Setting status to "CLOSED INSUFFICIENT_DATA". If you still experience this problem after updating to our latest Fedora release and can provide the information previously requested, please feel free to reopen the bug report. Thank you in advance. Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.