Description of problem:
Sssd is prevented by SELinux from writing to tmpfs (exact location unclear ATM). This breaks sssd authentication against Kerberos servers, when a krb5_child process needs to write a TGT to a temporary file. This is manifested by the following messages in /var/log/sssd/krb5_child.log:

(Mon Nov 25 20:16:55 2013) [[sssd[krb5_child[9824]]]] [get_and_save_tgt] (0x0020): 958: [13][Permission denied]
(Mon Nov 25 20:16:55 2013) [[sssd[krb5_child[9824]]]] [map_krb5_error] (0x0020): 979: [13][Permission denied]

and is reflected by the following message in /var/log/audit/audit.log:

type=AVC msg=audit(1385403415.267:725): avc:  denied  { write } for  pid=9824 comm="krb5_child" path=2F202864656C6574656429 dev="tmpfs" ino=31589 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):

selinux-policy-3.12.1-103.el7.noarch

sssd-common-1.11.2-1.el7.x86_64
sssd-ad-1.11.2-1.el7.x86_64
sssd-1.11.2-1.el7.x86_64
libsss_idmap-1.11.2-1.el7.x86_64
sssd-client-1.11.2-1.el7.x86_64
sssd-krb5-common-1.11.2-1.el7.x86_64
sssd-ipa-1.11.2-1.el7.x86_64
sssd-krb5-1.11.2-1.el7.x86_64
sssd-proxy-1.11.2-1.el7.x86_64
python-sssdconfig-1.11.2-1.el7.noarch
sssd-common-pac-1.11.2-1.el7.x86_64
sssd-ldap-1.11.2-1.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Setup sssd with an active directory server as the authentication provider for a domain.
2. Ensure SELinux policy is enforced.
3. Attempt to authenticate as a domain user using "su - <user>" and entering correct password.
4. Disable SELinux policy.
5. Attempt to authenticate again.

Actual results:
"su" fails with "su: Authentication failure" response.
"su" succeeds.

Expected results:
"su" succeeds.
"su" succeeds.