This is a tiny patch to create a /var/run/openvpn folder. Link to patch file: http://pastebin.com/H6UrCaaA The aim of this folder is to have a selinux compliant folder to store openvpn-status.log file. This file is specified with status parameter key on openvpn.conf file. With this folder and sec-policy/selinux-openvpn package, the /var/run/openvpn folder is correctly tagged and there is no more log of access denied by selinux. Reproducible: Always Steps to Reproduce: 1. Emerge and configure openvpn-2.1.4 using 'status' parameter on a selinux machine 2. run openvpn 3. you get "Jan 6 11:41:08 stormrage kernel: type=1400 audit(1325846468.091:685145): avc: denied { write } for pid=2486 comm="openvpn" path="/etc/openvpn/openvpn-status.log" dev=sda2 ino=3934483 scontext=system_u:system_r:openvpn_t tcontext=system_u:object_r:openvpn_etc_t tclass=file" each time openvpn want to update this file.
Created attachment 298079 [details, diff] Patch file Adds /var/log/openvpn folder and redirects pid files to this directory.
(In reply to comment #1) > Created attachment 298079 [details, diff] [details, diff] > Patch file > > Adds /var/log/openvpn folder and redirects pid files to this directory. Excuse me, but your patch doesn't make sense. Where did you base it off? % grep var/run openvpn-2.1.4.ebuild % % grep VPNPID files/* files/openvpn-2.1.init: VPNPID="/var/run/openvpn.${VPN}.pid" files/openvpn-2.1.init: VPNPID="/var/run/openvpn.pid"
Oh, nevermind. I now see that your patch was backwards. It is "diff -u <old> <new>"
This bug has gotten really old, can you please retry with openvpn-2.3.12 and see if the issue still exists?
Created attachment 469136 [details, diff] fix the run path on a selinux enforced box
You totally right. I don't have any selinux box with openvpn right now but I can see from the current refpolicy that the issue remain. selinux fc policy from https://github.com/TresysTechnology/refpolicy-contrib/blob/2128180acf3e02131dfb02d7cf1835d0a1f62b1b/openvpn.fc /run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) /run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) current init file: VPNPID="/var/run/openvpn.${VPN}.pid" VPNPID="/var/run/openvpn.pid" I noticed my first patch was wrong for multiple reasons. I made another patch which create the /run/openvpn folder the right way. I did not tested it yet. It seems we are shifting from /var/run to /run, so I updated the init to reflect that.