Description of problem: The Cups IPP backend printing service is denied access across my local network when IPSEC and SELinux are enabled. After temporarily placing SELinux in permissive mode, audit.log shows the following. ########## type=AVC msg=audit(1154602245.326:2449): avc: denied { recvfrom } for pid=22932 comm="ipp" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association type=AVC msg=audit(1154602245.326:2450): avc: denied { sendto } for pid=22932 comm="ipp" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=association ########## Audit2allow shows that the following rule might be used: "allow unlabeled_t self:association { recvfrom sendto };", but that seems too permissive. The "cups" and "ipp" processes both show the domain "system_u:system_r:cupsd_t:SystemLow-SystemHigh" in use. The "selinux-policy-2.3.3-8.fc5" interface configuration files for Cups, "/usr/share/selinux/strict/include/services/cups.if" and "/usr/share/selinux/targeted/include/services/cups.if", do not show the "corenet_non_ipsec_sendrecv(cupsd_t)" directive to allow Cups to use unlabeled IPSEC associations. The default "unlabeled_t -> unlabeled_t" access is being attempted instead of the required "cupsd_t -> unlabeled_t". Version-Release number of selected component (if applicable): I am using selinux-policy-targeted-2.3.3-8.fc5, cups-1.2.2-1.1, and kernel-2.6.17-1.2157_FC5.
Fixed in selinux-policy-2.3.6-3.fc5
Also observed for "selinux-policy-targeted-2.3.3-22" in "RHEL5 Beta 1" according to "audit.log": type=AVC msg=audit(1157897864.063:325): avc: denied { ioctl } for pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
(In reply to comment #2) I finally think it was not such a good idea to post this here. Issue reported independently as bug 205934.
Closing bugs