We have a CentOS 7 workstation whose user has started reporting periodic login failures. This seems to be the result of the krb5 cache aging out, and sssd's krb5_child attempting and failing to remove the old cache file. The AVC follows:
type=AVC msg=audit(1586670874.327:73041): avc: denied { unlink } for pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0" ino=67978294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
The policy allows sssd_t to unlink user_tmp_type:
sesearch -s sssd_t --allow: allow sssd_t user_tmp_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
Is the problem that the credential cache files in /tmp are being created with the wrong label, or is there some other problem I'm not seeing?