Bug 246311 - openvpn can't bind to udp port
Summary: openvpn can't bind to udp port
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-29 23:42 UTC by Alexandre Oliva
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-07-02 16:49:38 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Alexandre Oliva 2007-06-29 23:42:30 UTC 
Description of problem:
openvpn can't bind to UDP ports

Version-Release number of selected component (if applicable):
not sure whether this was with selinux-policy-targeted-2.6.4-21.fc7 or the
F7-pristine 2.6.4-8.fc7

How reproducible:
Every time

Steps to Reproduce:
1.Set up openvpn to listen for connections on a given UDP port (regardless of
whether it's on boot or later)
  
Actual results:
type=AVC msg=audit(1183081488.432:32): avc:  denied  { name_bind } for  pid=2969
comm="openvpn" src=7189 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1183081488.432:32): arch=c000003e syscall=49 success=no
exit=-13 a0=4 a1=7fff2cb2f1e0 a2=10 a3=0 items=0 ppid=2950 pid=2969
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)

Jun 28 22:44:48 <host> openvpn[2969]: OpenVPN 2.1_rc4 x86_64-redhat-linux-gnu 
[SSL] [LZO2] [EPOLL] built on Apr 26 2007
Jun 28 22:44:48 <host> openvpn[2969]: TCP/UDP: Socket bind failed on local
address <IP>:7189: Permission denied


Expected results:
No such errors


Additional info:
Comment 1 Alexandre Oliva 2007-06-29 23:45:29 UTC 
I've just confirmed that the problem still occurs with
selinux-policy-targeted-2.6.4-21.fc7
Comment 2 Daniel Walsh 2007-07-02 01:32:28 UTC 
Ok is port 7189 a default port for openvpn?  Or is this something that you setup
in a configuration?  Or does openvpn select udp ports randomly to listen on?

The system is setup to allow openvpn to listen on port 1194

If this is just your configuration you can add this port by executing

semanage port -a -T openvpn_port_t -P udp 7189
Comment 3 Alexandre Oliva 2007-07-02 02:28:49 UTC 
I didn't even know that it had default ports.  A single port won't do, though, I
have multiple vpn configurations on some boxes, each using different ports.

Thanks for the tip on semanage; it's not clear to me, after reading the man
page, whether the setting survives reboot (or whether it requires a policy
reload to become effective).  I'll figure that out, but you may want to take a
note to improve the manual in this regard.  I can file a separate bug on that,
if you like.

Thanks again,
Comment 4 Daniel Walsh 2007-07-02 16:49:38 UTC 
Yes semanage survives reboots.  All policy changes do except setting booleans. 
If you specify the setsebool -P they are permanant.
Note You need to log in before you can comment on or make changes to this bug.