On Wed, 2012-02-08 at 00:09 +0100, Dominick Grift wrote:
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { open } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Looks like a init script (or a process running in the init script domain) created a file with name krb5cc_1040237070 in /tmp (inode 17 on device dm-4 to be exact)
/tmp should not be used by system wide services. I am not sure where and if you can configure whatever created that file and tell it to use a proper place like /var/lib/$APP but if possible then that is best
Also you should figure out what created this (was it some init script?). It might be that some process was running in the init script domain due to a mislabeled executable file (ps auxZ | grep initrc_t)
I am actually pretty sure it was created by either lsassd or maybe but less likely the lsassd init script (or the main likewise init script if you do not have a separate lsassd init script). May also be a left over from earlier before you applied the proper file contexts (that is actually what i suspect)
type=AVC msg=audit(02/07/2012 21:55:59.592:23979) : avc: denied { read } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.600:23980) : avc: denied { lock } for pid=1671 comm=lsassd path=/tmp/krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(02/07/2012 21:55:59.609:23981) : avc: denied { unlink } for pid=1671 comm=lsassd name=krb5cc_1040237070 dev=dm-4 ino=17 scontext=system_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file