On systems where SELinux is enabled, sudo’s RBAC support allows a command to be run with a user-specified role and/or type. In order to transition to the target SELinux security context, sudo runs the command through the sesh helper program. When sudo is invoked as sudoedit, sesh is used to first create the editor temporary files with the proper security context and then, once the editor has run, to copy the edited temporary files to their original locations.
