Redhat: How to create a new role with SELinux

Unless you want to rewrite pretty much the whole refpolicy, I see no use for a new role. Note that after creating it, you'll need to create custom policy rules for literally every module that role is supposed to be able to use.

My idea of giving a user a restricted administrator role is implemented by:

1. mapping him/her to guest_u, it is a highly confined (and already existing) SELinux user.
2. creating Role Based Access Control (RBAC) rules coupled with sudo rules to allow specific people to run specific commands in specific machines under an specific SELinux role and type.
3. (Of course, this is a limited version of what a really confined environment looks like, you'd need to add, for example, a properly configured rbash, a limited PATH, 2FA authentication, proper authorization, ...)

The key point here is the ability to grant an unprivileged guest_u user the ability to run an elevated privilege command without ever leaving his/her restricted SELinux user mapping.

Check the sudoers(5) manpage for details.

Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd

SELinux_Spec On systems with SELinux support, sudoers entries may optionally have an SELinux role and/or type associated with a command. If a role or type is specified with the command it will override any default values specified in sudoers. A role or type specified on the command line, however, will supersede the values in sudoers.

To check for SELinux support in sudo, run:

# ldd $(which sudo) | grep selinux

On RHEL, sudo has SELinux support enabled by default.