Description of problem: openvpn can't bind to UDP ports Version-Release number of selected component (if applicable): not sure whether this was with selinux-policy-targeted-2.6.4-21.fc7 or the F7-pristine 2.6.4-8.fc7 How reproducible: Every time Steps to Reproduce: 1.Set up openvpn to listen for connections on a given UDP port (regardless of whether it's on boot or later) Actual results: type=AVC msg=audit(1183081488.432:32): avc: denied { name_bind } for pid=2969 comm="openvpn" src=7189 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1183081488.432:32): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fff2cb2f1e0 a2=10 a3=0 items=0 ppid=2950 pid=2969 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) Jun 28 22:44:48 <host> openvpn[2969]: OpenVPN 2.1_rc4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007 Jun 28 22:44:48 <host> openvpn[2969]: TCP/UDP: Socket bind failed on local address <IP>:7189: Permission denied Expected results: No such errors Additional info:
I've just confirmed that the problem still occurs with selinux-policy-targeted-2.6.4-21.fc7
Ok is port 7189 a default port for openvpn? Or is this something that you setup in a configuration? Or does openvpn select udp ports randomly to listen on? The system is setup to allow openvpn to listen on port 1194 If this is just your configuration you can add this port by executing semanage port -a -T openvpn_port_t -P udp 7189
I didn't even know that it had default ports. A single port won't do, though, I have multiple vpn configurations on some boxes, each using different ports. Thanks for the tip on semanage; it's not clear to me, after reading the man page, whether the setting survives reboot (or whether it requires a policy reload to become effective). I'll figure that out, but you may want to take a note to improve the manual in this regard. I can file a separate bug on that, if you like. Thanks again,
Yes semanage survives reboots. All policy changes do except setting booleans. If you specify the setsebool -P they are permanant.