diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1905bf9a4..2d3c278de 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -9,6 +9,15 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow dbus-daemon system bus to access /dev/net/tun
+## which is needed to pass tun/tap device file descriptors
+## over D-Bus.  This is needed by openvpn3-linux.
+## </p>
+## </desc>
+gen_tunable(dbus_can_pass_tuntap_fd, false)
+
 attribute dbusd_unconfined;
 attribute session_bus_type;
 
@@ -165,6 +174,10 @@ ifdef(`init_systemd', `
 	init_write_runtime_socket(system_dbusd_t)
 ')
 
+tunable_policy(`dbus_can_pass_tuntap_fd',`
+        corenet_rw_tun_tap_dev(system_dbusd_t)
+')
+
 optional_policy(`
 	# for /run/systemd/users/*
 	systemd_read_logind_pids(system_dbusd_t)