How to Fix SELinux Blocking PrivateVPN on AlmaLinux 10

Published: 2026-06-02
Google AdSense 广告位 (待申请通过后开启)

In AlmaLinux 10 (GNOME desktop environment), the configuration in version 10.1 wasn't this strict; modifying the firewall could still work. However, after upgrading to 10.2, it stopped working altogether, and now a complete overhaul is needed.

1. Fix SELinux tags in imported files. When NetworkManager starts the OpenVPN client in the background, SELinux requires all associated configuration files and certificates to have specific security tags.

sudo restorecon -Rv /etc/NetworkManager/

2. Allow access via SELinux boolean values ​​related to NetworkManager.

sudo setsebool -P NetworkManager_can_forward_packets on

sudo setsebool -P NetworkManager_connect_all_unlabeled on 2>/dev/null

3. Enable SELinux by setting a boolean value to allow the VPN to read the home directory.

sudo setsebool -P vpn_enable_homedirs on

4. Repair the SELinux-specific security label in the certificate directory.

sudo chcon -R -t home_cert_t /home/jey/.cert/

sudo semanage fcontext -a -t home_cert_t "/home/jey/.cert(/.*)?"

sudo restorecon -Rv /home/jey/.cert/

5. Execute the incomplete policy release command.

sudo setsebool -P vpn_enable_homedirs on

6. Use audit2allow to generate a NetworkManager patch.

sudo grep "comm=\"openvpn\"" /var/log/audit/audit.log | audit2allow -M alma10_nm_vpn_home

7. Load this security patch module

sudo semodule -i alma10_nm_vpn_home.pp

8. Move all VPN certificates to the system's public security directory

# Create a secure system-level certificate storage directory

sudo mkdir -p /var/lib/NetworkManager-openvpn/

# Copy all certificate files from your home directory.

sudo cp -r /home/jey/.cert/nm-openvpn/* /var/lib/NetworkManager-openvpn/

# Assign a dedicated SELinux label to NetworkManager

sudo restorecon -Rv /var/lib/NetworkManager-openvpn/

9. Correct the system read permissions for these files.

sudo chmod 644 /var/lib/NetworkManager-openvpn/*

10. One-click batch modification of certificate paths for all VPN nodes

# Batch replace CA certificate paths and TLS-Auth certificate paths in the configuration file

sudo sed -i 's|/home/jey/.cert/nm-openvpn/|/var/lib/NetworkManager-openvpn/|g' /etc/NetworkManager/system-connections/*.nmconnection

11. Make NetworkManager reload the configuration.

sudo firewall-cmd --reload 2>/dev/null

sudo systemctl reload NetworkManager

12. Full capture strategy for when NetworkManager plugin is blocked

sudo grep -E "NetworkManager|openvpn" /var/log/audit/audit.log | audit2allow -M almalinux10_nm_vpn_final

13. Force load this final patch (Note: Merging the full strategy takes approximately 5-10 seconds; please wait patiently for the terminal prompt to reappear).

sudo semodule -i almalinux10_nm_vpn_final.pp

14. Restart the network service and connect.

sudo systemctl restart NetworkManager

15. Retest

sudo grep "avc: denied" /var/log/audit/audit.log | tail -n 5

16. Modify the directory and refresh to the correct SELinux-specific label

# Permanently register this path as a net_conf_t label type

sudo semanage fcontext -a -t net_conf_t "/var/lib/NetworkManager-openvpn(/.*)?"

# Force refresh to make it take effect immediately

sudo restorecon -Rv /var/lib/NetworkManager-openvpn/

17. Restart the network service and connect.

sudo systemctl restart NetworkManager

18. PrivateVPN connection successful

After downloading a new PrivateVPN node configuration file (.ovpn), simply follow these two steps to quickly allow access:

Place the extracted .pem certificate into /var/lib/NetworkManager-openvpn/

Run a tab refresh:

sudo restorecon -Rv /var/lib/NetworkManager-openvpn/

The most stubborn system-level security restriction on AlmaLinux 10 (RHEL 10).

Root cause: The new SELinux version completely removed the `vpn_enable_homedirs` shortcut switch, cutting off any access to the `/home` user directory by network plugins by default.

Perfect solution: We moved the certificate to the system's public security area `/var/lib/NetworkManager-openvpn/` and precisely assigned it the network trust label `net_conf_t`, thus allowing PrivateVPN to function without lowering the system's security level (maintaining the Enforcing state). Now your global network data is under the encrypted protection of PrivateVPN.

This method works exactly the same on Red Hat Enterprise Linux 10 (RHEL 10):

sudo mkdir -p /var/lib/NetworkManager-openvpn/

# Copy your certificate files (.pem/.crt/.key) into this directory

sudo cp /path/to/your/certificates/* /var/lib/NetworkManager-openvpn/

sudo chmod 644 /var/lib/NetworkManager-openvpn/*

The only difference is binding the official RHEL 10 network tag (net_conf_t).

Since RHEL 10 has completely deprecated the vpn_enable_homedirs switch, the system network component (nm-libnm-helper) must be allowed to read it legally by registering the tag:

sudo semanage fcontext -a -t net_conf_t "/var/lib/NetworkManager-openvpn(/.*)?"

sudo restorecon -Rv /var/lib/NetworkManager-openvpn/

# Batch correct paths

sudo sed -i 's|/home/.*\.cert/nm-openvpn/|/var/lib/NetworkManager-openvpn/|g' /etc/NetworkManager/system-connections/*.nmconnection

# Restart network service for the changes to take effect

sudo systemctl restart NetworkManager

Explore More

Technology Guides →

How to Fix SELinux Blocking OpenVPN on AlmaLinux 10

How to Fix Eclipse Startup Errors on AlmaLinux 10

Southeast Asia Insights →