Proposed as a Blocker for 30-beta by Fedora user sgallagh using the blocker tracking app because:

 I'm not sure which specific criterion to cite, as non-functional "sudo" breaks a huge swath of administrative functionality.

I suppose "The installed system must be able appropriately to install, remove, and update software with the default console tool for the relevant software type (e.g. default console package manager). This includes downloading of packages to be installed/updated." might be appropriate, since if you didn't set a root password in Anaconda, it will be impossible to run `dnf install` or `dnf update`.

And a little bit more verbose output

Before upgrade:
[build@4ed54a2218eb tmp]$ sudo su -c "ls /root"
anaconda-ks.cfg  anaconda-post.log  original-ks.cfg
[build@4ed54a2218eb tmp]$ sudo -l
Matching Defaults entries for build on 4ed54a2218eb:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bi
n

User build may run the following commands on 4ed54a2218eb:
    (ALL : ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best
        --setopt\=install_weak_deps\=False install -- *


Upgrade:
[build@4ed54a2218eb tmp]$ sudo su -c "dnf update -y pam\*"
Last metadata expiration check: 0:01:07 ago on Sat Nov 24 18:32:24 2018.
Dependencies resolved.
================================================================================
 Package           Arch           Version                 Repository       Size
================================================================================
Upgrading:
 pam               x86_64         1.3.1-9.fc30            rawhide         629 k
 pam-devel         x86_64         1.3.1-9.fc30            rawhide         148 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 778 k
Downloading Packages:
(1/2): pam-devel-1.3.1-9.fc30.x86_64.rpm         65 kB/s | 148 kB     00:02
(2/2): pam-1.3.1-9.fc30.x86_64.rpm              204 kB/s | 629 kB     00:03
--------------------------------------------------------------------------------
Total                                           252 kB/s | 778 kB     00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Upgrading        : pam-1.3.1-9.fc30.x86_64                                1/4
  Running scriptlet: pam-1.3.1-9.fc30.x86_64                                1/4
  Upgrading        : pam-devel-1.3.1-9.fc30.x86_64                          2/4
  Cleanup          : pam-devel-1.3.1-8.fc30.x86_64                          3/4
  Cleanup          : pam-1.3.1-8.fc30.x86_64                                4/4
  Running scriptlet: pam-1.3.1-8.fc30.x86_64                                4/4
  Verifying        : pam-1.3.1-9.fc30.x86_64                                1/4
  Verifying        : pam-1.3.1-8.fc30.x86_64                                2/4
  Verifying        : pam-devel-1.3.1-9.fc30.x86_64                          3/4
  Verifying        : pam-devel-1.3.1-8.fc30.x86_64                          4/4

Upgraded:
  pam-1.3.1-9.fc30.x86_64             pam-devel-1.3.1-9.fc30.x86_64

Complete!


And broken after upgrade:
[build@4ed54a2218eb tmp]$ sudo -l
Matching Defaults entries for build on 4ed54a2218eb:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User build may run the following commands on 4ed54a2218eb:
    (ALL : ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best
        --setopt\=install_weak_deps\=False install -- *
    (ALL : ALL) NOPASSWD: /bin/su
[build@4ed54a2218eb tmp]$ sudo su -c "ls /root"
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

(In reply to Stephen Gallagher from comment #0)
> Actual results:
> The first sudo works fine. After updating PAM, it returns "sudo: Password
> expired, contact your system administrator"
> 

In both cases, it happens in container and I can say that build user does not have any password. It works well if user has passwod but use is used with NOPASSWD so it is not required.

Can you please check and confirm the issue is solved (and no other regressions are introduced) with this [1] scratch build?


[1]  https://koji.fedoraproject.org/koji/taskinfo?taskID=31094383

I can confirm that the scratch-build fixes this issue. Can we get that into a proper build ASAP? As noted in the original post, numerous CI systems depend on sudo working on the Rawhide container image, so it would be good to land this in the Rawhide compose right away (and adjust it later if the upstream review results in changes).

Thank you for testing and confirming the fix, Stephen!

"Real" build for Rawhide is running.  I just wanted to wait for an external confirmation before pulling the trigger.