selinux policy for heimdal and krb5cc cache

[Mivz <mivz@alpha.spugium.net>]

Hello,
I am working on a SELinux policy for heimdal using openldap as backend 
in combination whit SASL authentication and ran into a problem 
specifying a proper policy for the krb5cc.
Currently krb5cc is stored in /tmp by default. So, the krb5cc is created 
in the tmp context of the current domain.
For users user_tmp_t, admin: sysadm_tmp_t, etc.
But, if a other program creates the cache, say pam_krb5, it is created 
in the tmp_t of that domain. That would be local_login_t, so we get a 
krb5cc owned by local_login_tmp_t, and access is denied to all users.
To solve this, there should be a separate type which users and the 
local_login domain should have access to. The krb5cc_t.
This would not work in the /tmp dir, because all files written there are 
already automatic type changed to tmp domains.
So what I could do is use a different directory, say /var/heimdal/krb5cc.
This works, but comes with another problem. There is just one krb5cc 
domain. So a privileged user (say root or sudo user with unix shadow) on 
one system, who uses kerberos, can use all krb5cc caches to become those 
users anywhere on the network. That's not very nice.... or well, we 
don't want that.
So what I actually need is a user separated domain, which separates 
users, even the root user. This would obviously end up in the home dir, 
because it is user specific.
This is where my problem lies, I can not specify a default_cc_name = 
/home/%{user_name}/.krb5cc/krb5cc_%{uid} in krb5.conf, since 
%{user_name} does not exist. Also the ~ (home dir) for 
~/.krb5cc/krb5cc_%{uid} does not work.
Would it be (or could it be made) possible to specify the krb5cc in a 
home dir, so I can solve this issue?

Best Regards,
Mivz