Opened 9 years ago
Last modified 7 years ago
#479 new Bug / Defect
Ensure documentation recommends using /var/log for --status files — at Initial Version
Reported by: | David Sommerseth | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | release 2.4 |
Component: | Documentation | Version: | OpenVPN 2.3.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | selinux documentation |
Cc: |
Description
There are several misconfigurations which makes openvpn fail due to --status /etc/openvpn/openvpn-status.log being used instead of /var/log/openvpn-status.log. This happens especially on systems with SELinux enabled, as most SELinux policies does not grant the openvpn process write privileges in /etc.
As the --status file is more like a log file (most examples even use .log extension), placing it in /var/log makes more sense and matches most SELinux policies as well. I suggest using /var/log/openvpn-status.log in all examples.
# semanage fcontext --list | grep openvpn-status /var/log/openvpn-status\.log.* regular file system_u:object_r:openvpn_status_t:s0
More reports on this issue in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1002240
https://bugzilla.redhat.com/show_bug.cgi?id=1134967