Bug 781703

Summary: SELinux blocks OpenVPN from connecting to custom TCP port.
Product: [Fedora] Fedora Reporter: Ruediger Gad <r.c.g>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-16 08:13:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Output of audit log.
none
audit2why output
none
audit2allow output
none
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 1
none
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 2
none
openvpn_tcp_custom_port.te
none
openvpn_tcp_custom_port.pp none

Description Ruediger Gad 2012-01-14 14:17:44 UTC
Created attachment 555223 [details]
Output of audit log.

Description of problem:
SELinux blocks OpenVPN from connecting to custom TCP port.

Version-Release number of selected component (if applicable):
3.10.0

How reproducible:
Try to connect to an OpenVPN server using a non-default (other than 1194) TCP port by using a VPN connection set up with nm-applet.

Steps to Reproduce:
1. Install Fedora 16
2. Set up a VPN via nm-applet. The "server" does not need to actually run an OpenVPN server as this error occurs before the actual connection is established. 
3. Configure the VPN to use TCP and a non-default port via the advanced options, e.g., TCP port 1195.
4. Try to connect to the VPN.
  
Actual results:
SELinux prohibits OpenVPN from connecting. 
Output in /var/log/messages is as follows:
Jan 14 12:13:37 colin nm-openvpn[11491]: TCP: connect to 192.168.20.1:1195 failed, will try again in 5 seconds: Permission denied


Expected results:
OpenVPN should be allowed to create an outgoing TCP connection to servers that listen on non-default ports.

Additional info:

Comment 1 Ruediger Gad 2012-01-14 14:18:28 UTC
Created attachment 555224 [details]
audit2why output

Comment 2 Ruediger Gad 2012-01-14 14:18:49 UTC
Created attachment 555225 [details]
audit2allow output

Comment 3 Ruediger Gad 2012-01-14 14:19:33 UTC
Created attachment 555226 [details]
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 1

Comment 4 Ruediger Gad 2012-01-14 14:19:52 UTC
Created attachment 555227 [details]
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 2

Comment 5 Ruediger Gad 2012-01-14 14:22:03 UTC
Created attachment 555232 [details]
openvpn_tcp_custom_port.te

Comment 6 Ruediger Gad 2012-01-14 14:22:26 UTC
Created attachment 555233 [details]
openvpn_tcp_custom_port.pp

Comment 7 Ruediger Gad 2012-01-14 14:27:51 UTC
I missed that in the initial report: the version number 3.10.0 is the version of the selinux-policy package.
I hope this is the correct package for this bug.

Comment 8 Miroslav Grepl 2012-01-16 08:13:28 UTC
We allow openvpn to connect to these ports

# sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT

If you set up your own port, you will need to add a local policy. sealert
should tell you all options which you have.