That did the trick!
It was good that you've included this as a separate module so that I could test it, otherwise I had to patch and recompile the whole policy, then rebuild the image in order to test it and see whether it works.
I take it to make this a 'permanent' solution I have to patch and include 'kernel_request_load_module(openvpn_t)' in openvpn.te (forming part of the -44 policy), is that right?
Yes but Fedora should fix this. It is already fixed in f14 (v3.8.8-14). they just need to back port this to f13/f12
Agreed. I am waiting to see if this patch is going to work in the event of connection reset/time out (in situations when the connection needs to be re-established - with/without closing the tun device and possibly re-establishing the ip address, routing and all other parameters) - in that case the tun kernel module should already be loaded so if anything goes wrong I am expecting 'relablefrom' avc to pop up. If not, then all is well and I am applying this patch permanently.
selinux@lists.fedoraproject.org