We have a CentOS 7 workstation whose user has started reporting periodic login failures. This seems to be the result of the krb5 cache aging out, and sssd’s krb5_child attempting and failing to remove the old cache file. The AVC follows:

type=AVC msg=audit(1586670874.327:73041): avc: denied { unlink } for pid(735 comm=”krb5_child” name=”krb5cc_1985100122_oxJnH7″ dev=”dm-0″
inog978294 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

The policy allows sssd_t to unlink user_tmp_type:

sesearch -s sssd_t –allow:
allow sssd_t user_tmp_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

Is the problem that the credential cache files in /tmp are being created with the wrong label, or is there some other problem I’m not seeing?