My user (tom) has user_u , user_r and user_t via semanage but it still can perform sudo

My user (tom) is mapped to user_u user , user_r role and user_t domain via semanage

[tom@localhost ~]$ id -Z
user_u:user_r:user_t:s0
[tom@localhost ~]$ 

because I have made the "default" as "user_u"

[tom@localhos ~]$ sudo semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[tom@localhos ~]$ 

but it still can perform sudo

[tom@localhost ~]$ sudo -l
Matching Defaults entries for tom on localhost:

User tom may run the following commands on localhost:
    (ALL) NOPASSWD: ALL
[tom@localhost ~]$

It seems, this is because of "%<user tom’s group> ALL = (ALL) NOPASSWD:ALL" in the sudoers

[tom@localhost ~]$ sudo cat /etc/sudoers
root ALL = (ALL) NOPASSWD:ALL
%<user tom's group> ALL = (ALL) NOPASSWD:ALL
admin ALL = (ALL) NOPASSWD:ALL
[tom@localhost ~]$

Please help me fix my issue

Asked By: Rock

||

Use sudo visudo and comment the offending line. Just make very sure that there is some way to get root privileges on this machine before you save the changes

Answered By: roaima
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.