From Debian package 0.0.20080702-15

Label /var/run/openvpn.client* as openvpn_var_run_t
allow openvpn_t to access var_lib_t and usr_t files for vulnkey

Index: policy/modules/services/openvpn.fc
===================================================================
--- policy/modules/services/openvpn.fc.orig
+++ policy/modules/services/openvpn.fc
@@ -15,3 +15,4 @@
 #
 /var/log/openvpn.*		gen_context(system_u:object_r:openvpn_var_log_t,s0)
 /var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)
+/var/run/openvpn.client.* --	gen_context(system_u:object_r:openvpn_var_run_t,s0)
Index: policy/modules/services/openvpn.te
===================================================================
--- policy/modules/services/openvpn.te.orig
+++ policy/modules/services/openvpn.te
@@ -64,6 +64,10 @@
 manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
 files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
 
+# for the list of vulnerable keys
+files_read_usr_files(openvpn_t)
+files_read_var_lib_files(openvpn_t)
+
 kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
 kernel_read_network_state(openvpn_t)