Description of problem: After yum-updating from openvpn-2.2.2-1.el5.i386 to openvpn-2.3.1-3.el5.i386, openvpn init script does not work if selinux is enforced. Version-Release number of selected component (if applicable): openvpn-2.3.1-3.el5.i386 How reproducible: Always. Steps to Reproduce: # rpm -q openvpn openvpn-2.3.1-3.el5 # getenforce Enforcing # LANG=en service openvpn start Starting openvpn: [FAILED] # tail -f /var/log/messages [...] Jun 21 06:03:27 xxx openvpn[10162]: Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission denied Jun 21 06:03:27 xxx openvpn[10162]: Options error: Please correct these errors. Jun 21 06:03:27 xxx openvpn[10162]: Use --help for more information. # ls -ld /tmp drwxrwxrwt 3 root root 4096 21 giu 04:43 /tmp # tail -f /var/log/audit/audit.log ==> audit/audit.log <== type=AVC msg=audit(1371787502.640:39858): avc: denied { read write search } for pid=10180 comm="openvpn" name="tmp" dev=hda3 ino=163201 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1371787502.640:39858): arch=40000003 syscall=33 success=no exit=-13 a0=80bdb1b a1=7 a2=1 a3=bff0b50c items=0 ppid=10171 pid=10180 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3937 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null) # setenforce permissive # getenforce Permissive # service openvpn start Avvio di openvpn: [ OK ] # tail -f /var/log/messages [...] Jun 21 06:08:32 xxx openvpn[10211]: Initialization Sequence Completed
Is there anything in /tmp that might be left over from the previous version and mislabeled?
Hardware failure occurred few days ago on the server, actually it is down and doesn't power on. I will check the /tmp directory when the server will be up and running again. Sorry for the delay...
I finally fixed the server. I ran yum update and installed openvpn-2.3.2-2.el5. Openvpn starts and works fine, now.
I ran into this today on a new VPS - seems to be a problem still on EL7: kernel-3.10.0-327.4.5.el7.x86_64 openvpn-2.3.10-1.el7.x86_64 before and after turning off SELinux: type=AVC msg=audit(1454061534.329:6649): avc: denied { read write } for pid=24493 comm="openvpn" name="tmp" dev="tmpfs" ino=256319 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir= type=SYSCALL msg=audit(1454061534.329:6649): arch=c000003e syscall=21 success=no exit=-13 a0=7f24a5882a4c a1=7 a2=7 a3=3 items=0 ppid=1 pid=24493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) type=SERVICE_START msg=audit(1454061534.333:6650): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvpn comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=SERVICE_START msg=audit(1454061845.323:35): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=openvpn@myvpn comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora or Fedora EPEL, please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.