Description of problem: sssd unable to create pipes under /var/lib/sss/pipes, or read krb5 cache file in /tmp Version-Release number of selected component (if applicable): 1.5.1-49.1 How reproducible: install ipa-client, or service sssd start/restart
The following policy file solved the problem for me: policy_module(sq_sssd, 1.3) require { type sssd_t; type sssd_var_lib_t; type tmp_t; class lnk_file { read write create }; class file { getattr read }; } #============= sssd_t ============== allow sssd_t sssd_var_lib_t:lnk_file { create read write }; allow sssd_t tmp_t:file { getattr read }; This of course could probably be shortened with macros.
Which version of selinux-policy packages is installed on your machine?
selinux-policy-2.4.6-327.el5
Just had an additional entry in audit.log, audit2allow reported this: #============= sssd_t ============== allow sssd_t tmp_t:file { read lock getattr unlink };
Please include the original AVCs that you were seeing as well.
Upon further investigation and discussion on #sssd, it appears that selinux-policy may have been updated after sssd was started, so the policy wasn't applied yet. I'm not encountering the problem currently, can't seem to reproduce (I've tried on a couple of different systems), so I'm going to close this, if I can.