Description of problem: https://fedoraproject.org/wiki/Features/KRB5DirCache is going to require pam_krb5 to start creating its credential caches in user_tmp_t locations (usually /run/user/$USER) rather than the current default of tmp_t (/tmp). Version-Release number of selected component (if applicable): selinux-policy-3.10.0-128 pam_krb5-2.3.14-1.fc18 How reproducible: Always Steps to Reproduce: 1. Update to Raw Hide pam_krb5, or set "ccname_template = FILE:/run/user/%u/krb5cc_XXXXXX" in the "pam" subsection of the [appdefaults] section in /etc/krb5.conf. 2. Try to log in via console login or gdm. Actual results: If login succeeds, $KRB5CCNAME will be set wrong, and you'll see these denials in your log: time->Tue Jun 5 10:32:02 2012 type=PATH msg=audit(1338906722.165:1886): item=1 name="/run/user/nalin/krb5cc_4DEcq3" inode=421181 dev=00:10 mode=0100600 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 type=PATH msg=audit(1338906722.165:1886): item=0 name="/run/user/nalin/" inode=24368 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 type=CWD msg=audit(1338906722.165:1886): cwd="/" type=SYSCALL msg=audit(1338906722.165:1886): arch=c000003e syscall=2 success=yes exit=4 a0=1795270 a1=2c2 a2=180 a3=6165726373662f72 items=2 ppid=9700 pid=9701 auid=4294967295 uid=2510 gid=2516 euid=2510 suid=2510 fsuid=2510 egid=2516 sgid=2516 fsgid=2516 tty=tty4 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1338906722.165:1886): avc: denied { create } for pid=9701 comm="login" name="krb5cc_4DEcq3" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file time->Tue Jun 5 10:49:17 2012 type=PATH msg=audit(1338907757.230:586): item=0 name="/run/user/nalin/krb5cc_4C9aVb" inode=27491 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 type=CWD msg=audit(1338907757.230:586): cwd="/var/gdm" type=SYSCALL msg=audit(1338907757.230:586): arch=c000003e syscall=2 success=no exit=-13 a0=15923a0 a1=2c2 a2=180 a3=6165726373662f72 items=1 ppid=1507 pid=1867 auid=2510 uid=0 gid=2516 euid=0 suid=0 fsuid=0 egid=2516 sgid=2516 fsgid=2516 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1338907757.230:586): avc: denied { create } for pid=1867 comm="gdm-session-wor" name="krb5cc_4C9aVb" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file Expected results: Login succeeds, $KRB5CCNAME points to a "FILE" or "DIR"-type ccache under $XDG_RUNTIME_DIR, and running "klist" shows that your credentials are correctly stored there. Additional info: The "allow_kerberos" boolean is enabled.
Should be fixed in the latest policy.