Getting "sudo: unconfined_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 is not a valid context" error message when sudo'ing

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
    • SELinux

Issue

  • After adding the following configuration line for users in wheel group, sudo'ing doesn't work anymore

    # grep ^%wheel /etc/sudoers
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

    As a user in wheel group:

    $ sudo -i
sudo: unconfined_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 is not a valid context

Resolution

Follow the procedure in the Diagnostic Steps section; if this is a match, proceed further.

This is expected behaviour when the user sudo'ing is mapped to unconfined_u SELinux user.

Having the user mapped to unconfined_u SELinux user is not expected, usually the user has to be mapped to staff_u or sysadm_u SELinux users.

  1. Collect the login mapping

    # yum -y install policycoreutils-python-utils

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
staff                staff_u              s0-s0:c0.c1023       *
sysadm               sysadm_u             s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

    In the example above, the staff login is mapped to staff_u SELinux user, so is sysadm login respectively mapped to sysadm_u SELinux user.
    However all other logins (including admin used in our example) is mapped to unconfined_u (see the default entry above), which is not correct.

  2. Change the mapping for default logins to some confined user

    # semanage login -m  -s staff_u __default__

    In the example above, we map default logins to staff_u SELinux user, which enables sudo'ing (hence may not be wise).

    Usually to restrict the usage of sudo command to "power users" in wheel group, the "power users" should be mapped one by one or by group, as shown in the example below where our admin login is mapped to staff_u, all users in wheel group are mapped to staff_u as well and the normal users are mapped to user_u:

    # semanage login -m  -s user_u __default__ 
# semanage login -a -s staff_u admin
# semanage login -a -s staff_u %wheel

  3. Log in as the user that needs to sudo and verify its context

    $ id
uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023

  4. Verify that the user can now sudo

    $ sudo -i
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

Root Cause

It's a configuration error to have unconfined users when such sudo rule is applied.

Diagnostic Steps

  1. As the user trying to sudo, get the login attributes

    $ id
uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

    In the example above, the admin user is part of the wheel group and is executing in unconfined_u:unconfined_r:unconfined_t context.

  2. As root, check the sudo configuration for automatic role and type switching for the specific user of wheel group

    # egrep "^(admin|%wheel)" /etc/sudoers /etc/sudoers.d/*
/etc/sudoers:%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

    In the example above, there is a rule to automatically switch to sysadm_r role and sysadm_t type for all users in wheel group.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments