sudo/selinux "not a valid context"

Latest response

We cloned a working machine (meaning this problem does not occur there) and made the usual adjustments needed to get the host up in its new environment. Didn't make any selinux changes. selinux is in Permissive mode.

We're using RH Identity Management IPA. That seems to work, as I can log in as myself. But if I then run sudo -i, it barks:

sudo: unconfined_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 is not a valid context

sudo -v works just fine, so it's not an authentication thing (I don't think.)

But try to actually elevate rights to do some command with sudo and the above message is always the result.

root is able to run sudo ls, for example, with no issue.

selinux doesn't log anything about this (audit2why shows nothing, at least.)

Nothing in /var/log/messages.

If I look in /var/log/secure, I get these 3 lines each time:

Nov 26 16:11:04 xxxxxxxxxxxxxxxxxxxxxx.org sudo: jxxxxxxxx3 : TTY=pts/0 ; PWD=/home/jxxxxxxxx3 ; USER=root ; COMMAND=/bin/tail /var/log/messages
Nov 26 16:11:04 xxxxxxxxxxxxxxxxxxxxxx.org sudo: pam_unix(sudo:session): session opened for user root by jxxxxxxxx3(uid=0)
Nov 26 16:11:04 xxxxxxxxxxxxxxxxxxxxxx.org sudo: pam_unix(sudo:session): session closed for user root

I tried touching /.autorelabel and a reboot: that was not helpful.

because it's mentioned in /var/log/secure, I thought I'd check this:

drwxr-x---. jxxxxxxxx3 jxxxxxxxx3 staff_u:object_r:user_home_dir_t:s0 .

So that doesn't look like it's out of whack.

Any suggestions?

Responses

This turned out to be b/c the host was not added to the right IPA group.

$ ipa host-find `hostname`

returns nothing.

$ ipa hostgroup-add-member --hosts=<FQDN>

Now sudo (and other stuff that was broken) works.