linux-igd blocked by SELinux

[Daniel Fazekas]

The linux-igd package in Fedora 9 doesn't seem to function at all in  
its default configuration with SELinux enabled.

It's a UPnP IGD implementation which calls iptables to automatically  
add requested port forwarding DNAT entries to the nat table's  
PREROUTING chain, and the filter table's FORWARD chain.

Two runs through audit2allow made me a module which allows it to  
function, however, I'm worried whether the automatically generated  
rules are sensible, or if it's even normal that a Fedora 9 package by  
default just wouldn't work at all with SELinux enforcing on. Thanks  
for any insight.
The upnpd runs as root.

The package versions:
linux-igd-1.0-5.fc9.i386
selinux-policy-targeted-3.3.1-79.fc9.noarch

Audit messages:
type=1400 audit(1217802519.747:3819): avc:  denied  { read write }  
for  pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs  
ino=133770 scontext=unconfined_u:system_r:iptables_t:s0  
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
type=1400 audit(1217804575.392:3820): avc:  denied  { read write }  
for  pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs  
ino=133769 scontext=unconfined_u:system_r:iptables_t:s0  
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=1401 audit(1217811758.594:3828): security_compute_sid:  invalid  
context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for  
scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:insmod_exec_t:s0 tclass=process

The auto-generated module which allows it to function:
module myupnpd 1.0.1;

require {
	type iptables_t;
	type initrc_t;
	type insmod_t;
	role unconfined_r;
	class tcp_socket { read write };
	class udp_socket { read write };
}

#============= ROLES ==============
role unconfined_r types insmod_t;

#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };