Bug 246311 - openvpn can't bind to udp port
Summary: openvpn can't bind to udp port
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 7
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-29 23:42 UTC by Alexandre Oliva
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-02 16:49:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Alexandre Oliva 2007-06-29 23:42:30 UTC
Description of problem:
openvpn can't bind to UDP ports

Version-Release number of selected component (if applicable):
not sure whether this was with selinux-policy-targeted-2.6.4-21.fc7 or the
F7-pristine 2.6.4-8.fc7

How reproducible:
Every time

Steps to Reproduce:
1.Set up openvpn to listen for connections on a given UDP port (regardless of
whether it's on boot or later)
Actual results:
type=AVC msg=audit(1183081488.432:32): avc:  denied  { name_bind } for  pid=2969
comm="openvpn" src=7189 scontext=system_u:system_r:openvpn_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1183081488.432:32): arch=c000003e syscall=49 success=no
exit=-13 a0=4 a1=7fff2cb2f1e0 a2=10 a3=0 items=0 ppid=2950 pid=2969
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="openvpn" exe="/usr/sbin/openvpn"
subj=system_u:system_r:openvpn_t:s0 key=(null)

Jun 28 22:44:48 <host> openvpn[2969]: OpenVPN 2.1_rc4 x86_64-redhat-linux-gnu 
[SSL] [LZO2] [EPOLL] built on Apr 26 2007
Jun 28 22:44:48 <host> openvpn[2969]: TCP/UDP: Socket bind failed on local
address <IP>:7189: Permission denied

Expected results:
No such errors

Additional info:

Comment 1 Alexandre Oliva 2007-06-29 23:45:29 UTC
I've just confirmed that the problem still occurs with

Comment 2 Daniel Walsh 2007-07-02 01:32:28 UTC
Ok is port 7189 a default port for openvpn?  Or is this something that you setup
in a configuration?  Or does openvpn select udp ports randomly to listen on?

The system is setup to allow openvpn to listen on port 1194

If this is just your configuration you can add this port by executing

semanage port -a -T openvpn_port_t -P udp 7189

Comment 3 Alexandre Oliva 2007-07-02 02:28:49 UTC
I didn't even know that it had default ports.  A single port won't do, though, I
have multiple vpn configurations on some boxes, each using different ports.

Thanks for the tip on semanage; it's not clear to me, after reading the man
page, whether the setting survives reboot (or whether it requires a policy
reload to become effective).  I'll figure that out, but you may want to take a
note to improve the manual in this regard.  I can file a separate bug on that,
if you like.

Thanks again,

Comment 4 Daniel Walsh 2007-07-02 16:49:38 UTC
Yes semanage survives reboots.  All policy changes do except setting booleans. 
If you specify the setsebool -P they are permanant.

Note You need to log in before you can comment on or make changes to this bug.