Setting up a new server and I'm finally starting to use SELinux. I know I should have done this years ago, but what can I say...
Anyway, I installed the OpenVPN rpm (v2.09) from Dag Wieers. I copied my config files over my desktop machine and then copied to /etc/openvpn. I attempted to start the service, but it kept failing. I looked in my audit log in /var/log/audit/audit.log and saw this error:
type=AVC msg=audit(1284047743.108:34): avc: denied { read } for pid=3895 comm="openvpn" name="client.conf" dev=dm-0 ino=65543 scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1284047743.108:34): arch=40000003 syscall=5 success=no exit=-13 a0=bfab9c18 a1=0 a2=1b6 a3=9084298 items=0 ppid=3887 pid=3895 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="openvpn" exe="/usr/sbin/openvpn" subj=user_u:system_r:openvpn_t:s0 key=(null)
Why would the OpenVPN SELinux policy deny access to the /etc/openvpn directory? Because I copied them to my home directory before moving them to /etc/openvpn! I was able to restore the correct selinux security context on the files by running this command:
/sbin/restorecon -R -v /etc/openvpn
(Thanks Daniel @ Redhat Bugzilla!)
