Bug 781703 - SELinux blocks OpenVPN from connecting to custom TCP port.
Summary: SELinux blocks OpenVPN from connecting to custom TCP port.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-14 14:17 UTC by Ruediger Gad
Modified: 2012-01-16 08:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-16 08:13:28 UTC
Type: ---

Attachments (Terms of Use)
Output of audit log. (546 bytes, text/plain)
2012-01-14 14:17 UTC, Ruediger Gad 		no flags Details
audit2why output (418 bytes, text/plain)
2012-01-14 14:18 UTC, Ruediger Gad 		no flags Details
audit2allow output (197 bytes, text/plain)
2012-01-14 14:18 UTC, Ruediger Gad 		no flags Details
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 1 (288 bytes, application/octet-stream)
2012-01-14 14:19 UTC, Ruediger Gad 		no flags Details
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 2 (985 bytes, application/octet-stream)
2012-01-14 14:19 UTC, Ruediger Gad 		no flags Details
openvpn_tcp_custom_port.te (288 bytes, application/octet-stream)
2012-01-14 14:22 UTC, Ruediger Gad 		no flags Details
openvpn_tcp_custom_port.pp (985 bytes, application/octet-stream)
2012-01-14 14:22 UTC, Ruediger Gad 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Description Ruediger Gad 2012-01-14 14:17:44 UTC 
Created attachment 555223 [details]
Output of audit log.

Description of problem:
SELinux blocks OpenVPN from connecting to custom TCP port.

Version-Release number of selected component (if applicable):
3.10.0

How reproducible:
Try to connect to an OpenVPN server using a non-default (other than 1194) TCP port by using a VPN connection set up with nm-applet.

Steps to Reproduce:
1. Install Fedora 16
2. Set up a VPN via nm-applet. The "server" does not need to actually run an OpenVPN server as this error occurs before the actual connection is established. 
3. Configure the VPN to use TCP and a non-default port via the advanced options, e.g., TCP port 1195.
4. Try to connect to the VPN.
  
Actual results:
SELinux prohibits OpenVPN from connecting. 
Output in /var/log/messages is as follows:
Jan 14 12:13:37 colin nm-openvpn[11491]: TCP: connect to 192.168.20.1:1195 failed, will try again in 5 seconds: Permission denied


Expected results:
OpenVPN should be allowed to create an outgoing TCP connection to servers that listen on non-default ports.

Additional info:
Comment 1 Ruediger Gad 2012-01-14 14:18:28 UTC 
Created attachment 555224 [details]
audit2why output
Comment 2 Ruediger Gad 2012-01-14 14:18:49 UTC 
Created attachment 555225 [details]
audit2allow output
Comment 3 Ruediger Gad 2012-01-14 14:19:33 UTC 
Created attachment 555226 [details]
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 1
Comment 4 Ruediger Gad 2012-01-14 14:19:52 UTC 
Created attachment 555227 [details]
Files generated with "audit2allow -b -M openvpn_tcp_custom_port" part 2
Comment 5 Ruediger Gad 2012-01-14 14:22:03 UTC 
Created attachment 555232 [details]
openvpn_tcp_custom_port.te
Comment 6 Ruediger Gad 2012-01-14 14:22:26 UTC 
Created attachment 555233 [details]
openvpn_tcp_custom_port.pp
Comment 7 Ruediger Gad 2012-01-14 14:27:51 UTC 
I missed that in the initial report: the version number 3.10.0 is the version of the selinux-policy package.
I hope this is the correct package for this bug.
Comment 8 Miroslav Grepl 2012-01-16 08:13:28 UTC 
We allow openvpn to connect to these ports

# sesearch --allow -C -s openvpn_t -c tcp_socket -p name_connect |grep -v DT

If you set up your own port, you will need to add a local policy. sealert
should tell you all options which you have.
Note You need to log in before you can comment on or make changes to this bug.