openvpn.log: Permission denied

今天一台centos 5.8的机器重启了,发现tun0没有起来,开始以为是启动命令没放到rc.local的原因,于是就将命令:
/usr/sbin/openvpn --config /etc/openvpn/openvpn.conf > /dev/null 2>&1 &
放到rc.local,然后重启系统以确定能正常运行,发现还是没tun0,于是通过系统命令:
service openvpn start,发现提示[FAILED],于是检查/var/log/messages目志,发现有如下错误提示:
Mar 13 20:32:42 service-labs.com kernel: type=1400 audit(1489451562.261:15): avc: denied { write } for pid=1964 comm=”openvpn” name=”openvpn.log” dev=vda1 ino=164593 scontext=root:system_r:openvpn_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
Mar 13 20:32:42 service-labs.com openvpn[1964]: Warning: Error redirecting stdout/stderr to –log file: /var/log/openvpn.log: Permission denied (errno=13)
Mar 13 20:32:42 service-labs.com kernel: type=1400 audit(1489451562.264:16): avc: denied { write } for pid=1964 comm=”openvpn” name=”openvpn-status.log” dev=vda1 ino=164598 scontext=root:system_r:openvpn_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
Mar 13 20:32:42 service-labs.com openvpn[1964]: Options error: –status fails with ‘/var/log/openvpn-status.log’: Permission denied
Mar 13 20:32:42 service-labs.com openvpn[1964]: Options error: Please correct these errors.
Mar 13 20:32:42 service-labs.com openvpn[1964]: Use –help for more information.
开始还以为只是文件权限问题,于是修改openvpn.log和openvpn-status.log都为chmod 777,发现还是出错,于是上网找到这个bug:
https://bugzilla.redhat.com/show_bug.cgi?id=963631

解决方案:
关闭selinux即可:
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
最好开启openvpn自动运行,不需要放命令到rc.local
chkconfig openvpn on

上一篇: