type=AVC msg=audit(1756218769.705:22736): avc: denied { create } for pid=11149 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket permissive=0 I haven't yet noticed any loss of functionality. Reproducible: Always Steps to Reproduce: 1. (Re-)start openvpn-client service 2. ausearch -c openvpn Actual Results: type=AVC msg=audit(1756218769.705:22736): avc: denied { create } for pid=11149 comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket permissive=0 Expected Results: No denial logged. Additional Information: OpenVPN configuration: client dev rht0 dev-type tun tun-mtu 1360 #proto tcp-client proto udp topology subnet remote ovpn-rdu2.redhat.com 443 nobind persist-key persist-tun user openvpn group openvpn cd /etc/openvpn ca /etc/openvpn/client/RH-IT-Root-CA.crt cipher AES-256-CBC reneg-sec 0 #tls-remote ovpn-rdu2.redhat.com verify-x509-name ovpn.redhat.com name auth-user-pass auth-nocache ping 30 ping-exit 120 # Enable 'verb 4' for basic debug # Enable 'verb 5' for debug + packet traversal notification #verb 4 #verb 5 #up /etc/openvpn/client.up # i386 #plugin /usr/lib/openvpn/plugin/lib/openvpn-down-root.so /etc/openvpn/client.down # x86_64 #plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so /etc/openvpn/client.down #script-security 2 #up "/usr/sbin/sysctl -p /etc/openvpn/client/rht0-sysctl.conf"
FYI, I think that I figured out what OpenVPN is doing here. Here is the relevant portion of an strace when I run OpenVPN from the console. socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3 setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0 getpid() = 18029 bind(3, {sa_family=AF_NETLINK, nl_pid=-218085779, nl_groups=00000000}, 12) = 0 getsockname(3, {sa_family=AF_NETLINK, nl_pid=-218085779, nl_groups=00000000}, [12]) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 sendmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2538663848, nlmsg_pid=-218085779}, {cmd=CTRL_CMD_GETFAMILY, version=1}, [{nla_len=16, nla_type=CTRL_ATTR_FAMILY_NAME}, "ovpn-dco-v2"]], iov_len=36}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 36 recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{nlmsg_len=56, nlmsg_type=NLMSG_ERROR, nlmsg_flags=0, nlmsg_seq=2538663848, nlmsg_pid=-218085779}, {error=-ENOENT, msg=[{nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2538663848, nlmsg_pid=-218085779}, {cmd=CTRL_CMD_GETFAMILY, version=1}, [{nla_len=16, nla_type=CTRL_ATTR_FAMILY_NAME}, "ovpn-dco-v2"]]}], iov_len=16384}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, MSG_PEEK|MSG_TRUNC) = 56 recvmsg(3, {msg_name={sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{nlmsg_len=56, nlmsg_type=NLMSG_ERROR, nlmsg_flags=0, nlmsg_seq=2538663848, nlmsg_pid=-218085779}, {error=-ENOENT, msg=[{nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=2538663848, nlmsg_pid=-218085779}, {cmd=CTRL_CMD_GETFAMILY, version=1}, [{nla_len=16, nla_type=CTRL_ATTR_FAMILY_NAME}, "ovpn-dco-v2"]]}], iov_len=16384}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 56 close(3) So it's trying to find a netlink family named "ovpn-dco-v2". OpenVPN DCO appears to be a kernel-based accelerator for OpenVPN - https://openvpn.net/as-docs/openvpn-dco.html.
For now, the denial can be eliminated by adding the "disable-dco" option to the OpenVPN configuration.
Excellent, thank you, information added to the commit message. You can now try the coprbuild from https://github.com/fedora-selinux/selinux-policy/pull/2848 checks -> rawhide build
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5
FEDORA-2025-7a468a12c5 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7a468a12c5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7a468a12c5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-7a468a12c5 (selinux-policy-42.7-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.