What were you trying to do that didn't work?

When being a confined user mapped to sysadm_u and the following configuration is used in /etc/sudoers, it's not possible to execute sudo:

Defaults log_input,log_output
Defaults logfile=/var/log/sudo.log

Error the user gets:

$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ sudo -i 
sudo: unable to open /var: Permission denied

This occurs because an AVC shows up:

type=PROCTITLE msg=audit(05/15/2024 09:26:23.937:150) : proctitle=sudo -i 
type=SYSCALL msg=audit(05/15/2024 09:26:23.937:150) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc3755f3b0 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=0 ppid=1396 pid=1445 auid=sysadm uid=sysadm gid=sysadm euid=root suid=root fsuid=root egid=root sgid=sysadm fsgid=root tty=pts1 ses=5 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/15/2024 09:26:23.937:150) : avc:  denied  { read } for  pid=1445 comm=sudo name=var dev="dm-0" ino=33575046 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 

There is no rule for this in the policy and IMHO such rule is not needed.
Indeed, with just Defaults logfile=/var/log/sudo.log in the configuration, the issue doesn't occur, which tells us the implementation of sudo-io is "broken", it tries to read /var while only searching should be needed (which is possible already in the policy).

Please provide the package NVR for which bug is seen:

sudo-1.9.5p2-1.el8_9.x86_64
sudo-1.9.5p2-10.el9_3.x86_64

How reproducible:

Always

Steps to reproduce

1. Create a user mapped to sysadm_u

   # useradd -G wheel -Z sysadm_u sysadm

2. Configure sudo to log input and/or output

   Defaults log_input,log_output
   Defaults logfile=/var/log/sudo.log

3. Login as the confined user and try sudo'ing interactively

Expected results

User gets a prompt

Actual results

Error message + AVC