[CentOS] SELinux denies login

Mon Apr 13 20:48:09 UTC 2020
Gordon Messmer <gordon.messmer at gmail.com>

We have a CentOS 7 workstation whose user has started reporting periodic 
login failures.  This seems to be the result of the krb5 cache aging 
out, and sssd's krb5_child attempting and failing to remove the old 
cache file.  The AVC follows:

type=AVC msg=audit(1586670874.327:73041): avc:  denied  { unlink } for 
pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0" 
ino=67978294 scontext=system_u:system_r:sssd_t:s0 
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

The policy allows sssd_t to unlink user_tmp_type:

  sesearch -s sssd_t --allow:
    allow sssd_t user_tmp_type : file { ioctl read write create getattr 
setattr lock relabelfrom relabelto append unlink link rename open } ;

Is the problem that the credential cache files in /tmp are being created 
with the wrong label, or is there some other problem I'm not seeing?