mediumsystemverified ✓
Ensure sudo elevates the SELinux context when called by an administrator
sudo-selinux-context · RHEL ≥ 8 · 1 impl
Description
The sudo command must be configured to elevate the SELinux security context when an administrator calls it, ensuring commands run with appropriate mandatory access controls.
Rationale
Without SELinux context elevation in sudo, administrators may execute commands in their own user SELinux context rather than the privileged context. This can prevent legitimate administrative actions and may indicate a misconfigured or missing SELinux integration in the sudoers policy.
Check → Remediate
Checkcommand
# Check if sudo has role/type elevation configured # Look for ROLE= or TYPE= in sudoers configuration if grep -rqE '^\s*[^#].*ROLE=|^\s*[^#].*TYPE=' /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then echo "OK: sudo is configured to elevate SELinux context" exit 0 fi # Also check if selinux_role_map or rolespec_enabled is configured if sudo -l 2>/dev/null | grep -qE 'ROLE=|TYPE='; then echo "OK: sudo has SELinux role elevation configured" exit 0 fi echo "FAIL: sudo is not configured to elevate SELinux context" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Configure sudo to elevate SELinux context by adding ROLE and TYPE specifications to /etc/sudoers.d/selinux-elevation: %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL Consult your SELinux policy for the appropriate role and type.
Framework references
STIG
V-281250 / RHEL-10-700410V-272496 / RHEL-09-431016V-272484
NIST 800-53
AC-3CM-6
Live verification
rhel8:checkrhel9:check
#selinux#sudo#privilege#mandatory-access-control