We have a CentOS 7 workstation whose user has started reporting periodic
login failures. This seems to be the result of the krb5 cache aging
out, and sssd's krb5_child attempting and failing to remove the old
cache file. The AVC follows:
type=AVC msg=audit(1586670874.327:73041): avc: denied { unlink } for
pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0"
ino=67978294 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
The policy allows sssd_t to unlink user_tmp_type:
sesearch -s sssd_t --allow:
allow sssd_t user_tmp_type : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename open } ;
Is the problem that the credential cache files in /tmp are being created
with the wrong label, or is there some other problem I'm not seeing?