(solved) Sudo permission denied after fresh install rocky 9.0

Hello,
I just installed for testing a new VM as follow :

• Rocky Linux 9 minimal install
• LVM partitioning
• Security Profile ANSSI enhanced
• Root account is not deactivated
• normal user “user” as administrator

whenever i try a sudo command i get permission denied…

When installing a package it fails :

--------------------------------------------------------------------------------
Total                                            84 kB/s |  36 kB     00:00     
[Errno 13] Permission non accordée: '/bin/rpmkeys'
Les paquets téléchargés ont été mis en cache jusqu’à la prochaine transaction réussie.
Vous pouvez supprimer les paquets en cache en exécutant « dnf clean packages ».

or trying vi with sudo :

[user@localhost ~]$ sudo vi test
/bin/vi: ligne 23: /usr/libexec/vi: Permission non accordée
/bin/vi: ligne 23: /usr/libexec/vi: Succès

My user is in wheel group and the wheel group has all permissions in /etc/sudoers :

[root@localhost user]# groups user
user : user wheel

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

One thing i noticed is that everything works when i get into “su” and is logged in as root directly.

I also checked this topic without result : Can't sudo su - or sudo -i

Thanks in advance for your help

After some more troubleshooting I discovered that with the same lvm partitioning but no security profile the system works as expected.

After investigating the oscap report it seems like sudo NOEXEC do what it is supposed to :

image2632×1136 145 KB

editing sudoers file with visudo and commenting NOEXEC line appears to make it work again.

I guess the security profile suppose you will do some more tweaking to allow your user to do only the required command in sudo.

Hope this post will help some other people to troubleshoot

Yes, but if the standard user can’t run important sudo commands, then who is going to be the sysadmin? You don’t really want someone using the real root for sysadmin?

@gerry666uk This rule is applied for enhanced and high security profile so i guess it’s normal it breaks things It’s very restrictive but this is how you get maximum security… I guess the admin who installs the machines should tweak the settings to match the commands needed to adminster the machines

Security often does not rime with Usability…

EDIT : Guide to the Secure Configuration of Red Hat Enterprise Linux 7 | OpenSCAP Security Guide warns you :

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Yes, but they’d have to allow so many commands as to make it useless.