The proposed modifications were tested and work without a hitch, so I am making the changes permanent as part of my custom policy. Many thanks Dominick for your input. It is interesting though that when openvpn is restarted (which forces the 'closure' of the tun device, which is then opened again by openvpn) I do not get the 'relablefrom' avcs, but if I do open the tun device 'manually' (using 'openvpn --mktun') I do get these. This modification also helped me find a bug in the openvpn config file I was using (I have chrooted openvpn, but forgot to reset the SELinux permissions on the 'local' copy of ip, so that caused problems as well - easily fixed though), so that was an added bonus for me. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
