With selinux in enforcing mode, we get:
cupsd[7407]: REQUEST localhost - - "POST /printers/WIN7PRO64-PCCanon-G2000-series-Printer HTTP/1.1" 200 11277 Print-Job successful-ok xpraforwarder[12833]: '/usr/lib/cups/backend/xpraforwarder' '430' 'antoine' 'Untitled Document 1' '1' 'InputSlot=Default number-up=1 PageSize=A4 noCollate Duplex=None job-uuid=urn:uuid:0d3fcb1d-eb6f-3054-74ce-7e4665abb621 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1554743759 time-at-processing=1554743759' xpraforwarder[12833]: version 3.0, username: antoine, title: Untitled Document 1, filename: -, job_id: 430 xpraforwarder[12833]: uid=(0, 0, 0), gid=(7, 7, 7) xpraforwarder[12833]: DEVICE_URI=xpraforwarder:/tmp?display=%3A20&source=948bf580fddb9196be1de3228448866026eb8a9b&socket-path=%2Frun%2Fuser%2F1000%2Fxpra%2Fdesktop-20&remote-printer=%5C%5CWIN7PRO64-PC%5CCanon+G2000+series+Printer&remote-device-uri=None&mimetype=application%2Fpostscript xpraforwarder[12833]: parsed attributes={'mimetype': ['application/postscript'], 'socket-path': ['/run/user/1000/xpra/desktop-20'], 'remote-printer': ['\\\\WIN7PRO64-PC\\Canon G2000 series Printer'], 'remote-device-uri': ['None'], 'source': ['948bf580fddb9196be1de3228448866026eb8a9b'], 'display': [':20']} xpraforwarder[12833]: xpra display: :20, socket-path: /run/user/1000/xpra/desktop-20 xpraforwarder[12833]: running: ['xpra', 'print', 'socket:/run/user/1000/xpra/desktop-20', '-', 'application/postscript', '948bf580fddb9196be1de3228448866026eb8a9b', 'Untitled Document 1', '\\\\WIN7PRO64-PC\\Canon G2000 series Printer', '1', 'InputSlot=Default number-up=1 PageSize=A4 noCollate Duplex=None job-uuid=urn:uuid:0d3fcb1d-eb6f-3054-74ce-7e4665abb621 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1554743759 time-at-processing=1554743759'] xpraforwarder[12833]: returncode=1 xpraforwarder[12833]: stdout= xpraforwarder[12833]: stderr=xpra initialization error: failed to connect to '/run/user/1000/xpra/desktop-20': [Errno 13] Permission denied
With selinux not in enforcing mode, it does work - here are the AVCs:
avc: denied { write } for pid=13464 comm="xpra" name="desktop-20" dev="tmpfs" ino=2876468 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 avc: denied { connectto } for pid=13464 comm="xpra" path="/run/user/1000/xpra/desktop-20" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 avc: denied { getattr } for pid=13732 comm="mdadm" path="/dev/gpmctl" dev="devtmpfs" ino=33443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1 avc: denied { read } for pid=13732 comm="mdadm" name="nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1 avc: denied { open } for pid=13732 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for pid=13732 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 ioctlcmd=0x1268 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1 avc: denied { read } for pid=13873 comm="mdadm" name="nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1 avc: denied { open } for pid=13873 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1 avc: denied { ioctl } for pid=13873 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 ioctlcmd=0x1268 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
The quick and dirty "fix" would be:
#============= cupsd_t ============== allow cupsd_t unconfined_t:unix_stream_socket connectto; allow cupsd_t user_tmp_t:sock_file write;
But this would allow cups to connect to any socket..
Some of those avcs were caused by a missing policy and are already covered in #815, fixes added in r23682.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2265