I received this alert AFTER I performed the "restorecon -v './ipp.txt'".

Does openvpn actually need to write ipp.txt to be able to connect?

This was the error I received in my daily watch log.  I'm not sure why openvpn would need read/write access to ipp.txt but that is one of the errors.  I think the restorecon fixed the openvpn-status.log worked as I'm not receiving that error any longer.

**Unmatched Entries**
    Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO
+routines:BIO_new_file:system lib: 5 Time(s)
    Note: cannot open /etc/openvpn/ipp.txt for READ/WRITE: 5 Time(s)
    Note: cannot open openvpn-status.log for WRITE: 5 Time(s)
    Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf: 1 Time(s)
    Use --help for more information.: 1 Time(s)

Looks like ipp.txt is something openvpn needs to write to.

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

But this file should be in /var/run/openvpn if this is a temporary file or moved to /var/lib/openvpn/ Directory if it needs to survive a reboot.  Not under the /etc directory which should be read/only.

    Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters:
error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO
+routines:BIO_new_file:system lib: 5 Time(s)

Is this being caused by SELinux?  What is this file?  Does it need to be read/write?

Okay, I've gone rounds with this thing over the weekend.

I changed the openvpn.conf file to point to /var/run/openvpn/ and moved all the files over there.  I'm still getting slapped down by SELinux.

ipp.txt is the file that stores the IP addresses for the boxes that are connected so if the box disconnects and reconnects it gets the same IP (pseudo-static IP).

The dh2048.pem one of the keys needed for encryption.

These are the current problems I'm seeing (since they may have changed since moving the files).

Nov 12 09:20:50 thunder openvpn[26996]: OpenVPN 2.1_rc8 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 14 2008
Nov 12 09:20:50 thunder openvpn[26996]: Note: cannot open /var/run/openvpn/ipp.txt for READ/WRITE
Nov 12 09:20:50 thunder openvpn[26996]: Cannot open /var/run/openvpn/easy-rsa/2.0/keys/dh2048.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib
Nov 12 09:20:50 thunder openvpn[26996]: Exiting
Nov 12 09:20:50 thunder setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn (openvpn_etc_t). For complete SELinux messages. run sealert -l 555df8ba-1e9b-4d50-bc98-0d73c53bd3cb
Nov 12 09:20:50 thunder setroubleshoot: SELinux is preventing access to files with the default label, default_t. For complete SELinux messages. run sealert -l d39b6198-9d4f-46ea-9be5-635a9f6df75c

It appears the problem MAY lie in the target context being labeled unconfined_u:object_r:default_t:s0 vice unconfined_u:system_r:openvpn_t:s0.  I had relabeled before but will try again.

I can not see the output from the commands please attach the output.

Which commands?  The log entries are generated when I attempt to start the openvpn service, which fails.

I need the output of 

sealert -l 555df8ba-1e9b-4d50-bc98-0d73c53bd3cb

Or a copy of your /var/log/audit/audit.log

default_t usually means you have created a new non standard / directory that
does not have a label.  So this gets labeled default_t.  Confined domains are
not allowed to access default_t files/directories.  If you want to use a new /
directory you need to setup the labeling correctly.

DUH!  Yeah, I'm not awake yet.  Here ya go.

Summary:

SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn (openvpn_etc_t).

Detailed Description:

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./openvpn,

restorecon -v './openvpn'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                system_u:object_r:openvpn_etc_t:s0
Target Objects                ./openvpn [ dir ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          thunder.christensenplace.us
Source RPM Packages           openvpn-2.1-0.26.rc8.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-103.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     thunder.christensenplace.us
Platform                      Linux thunder.christensenplace.us
                              2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14
                              EDT 2008 i686 athlon
Alert Count                   1
First Seen                    Wed Nov 12 09:20:50 2008
Last Seen                     Wed Nov 12 09:20:50 2008
Local ID                      555df8ba-1e9b-4d50-bc98-0d73c53bd3cb
Line Numbers                  

Raw Audit Messages            

host=thunder.christensenplace.us type=AVC msg=audit(1226499650.409:462): avc:  denied  { write } for  pid=26996 comm="openvpn" name="openvpn" dev=dm-4 ino=269281 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_etc_t:s0 tclass=dir

host=thunder.christensenplace.us type=SYSCALL msg=audit(1226499650.409:462): arch=40000003 syscall=5 success=no exit=-13 a0=9eedd74 a1=42 a2=180 a3=9eedd01 items=0 ppid=26988 pid=26996 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=55 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

Fixed in selinux-policy-3.3.1-109.fc9

Okay, I just upgraded to F10 x64 and it seems fixed for ipp.txt.  I'm still having the same problem with openvpn-status.log that OpenVPN creates in /etc/openvpn/.  I did try the "restorecon" as recommended in the below alert.


Summary:

SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn-status.log
(openvpn_etc_t).

Detailed Description:

SELinux denied access requested by openvpn. It is not expected that this access
is required by openvpn and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./openvpn-status.log,

restorecon -v './openvpn-status.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:openvpn_t:s0
Target Context                unconfined_u:object_r:openvpn_etc_t:s0
Target Objects                ./openvpn-status.log [ file ]
Source                        openvpn
Source Path                   /usr/sbin/openvpn
Port                          <Unknown>
Host                          thunder
Source RPM Packages           openvpn-2.1-0.28.rc9.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     thunder
Platform                      Linux thunder 2.6.27.5-117.fc10.x86_64 #1 SMP Tue
                              Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   10
First Seen                    Sat Dec  6 22:14:12 2008
Last Seen                     Sun Dec  7 09:58:04 2008
Local ID                      51ebcfa1-c31a-4638-bb46-c98e569efb02
Line Numbers                  

Raw Audit Messages            

node=thunder type=AVC msg=audit(1228661884.705:460): avc:  denied  { write } for  pid=7424 comm="openvpn" name="openvpn-status.log" dev=sda3 ino=33214 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file

node=thunder type=SYSCALL msg=audit(1228661884.705:460): arch=c000003e syscall=2 success=no exit=-13 a0=2094248 a1=241 a2=180 a3=30a296da70 items=0 ppid=7415 pid=7424 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=29 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)