>> That did the trick! >> >> It was good that you've included this as a separate module so that I >> could test it, otherwise I had to patch and recompile the whole >> policy, then rebuild the image in order to test it and see whether >> it works. >> >> I take it to make this a 'permanent' solution I have to patch and >> include 'kernel_request_load_module(openvpn_t)' in openvpn.te >> (forming part of the -44 policy), is that right? >> > > Yes but Fedora should fix this. It is already fixed in f14 (v3.8.8-14). they just need to back port this to f13/f12 > Agreed. I am waiting to see if this patch is going to work in the event of connection reset/time out (in situations when the connection needs to be re-established - with/without closing the tun device and possibly re-establishing the ip address, routing and all other parameters) - in that case the tun kernel module should already be loaded so if anything goes wrong I am expecting 'relablefrom' avc to pop up. If not, then all is well and I am applying this patch permanently. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
