1NEWROLE(1) NSA NEWROLE(1)
2
3
4
6 newrole - run a shell with a new SELinux role
7
9 newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level] [-p|--preserve-
10 environment] LEVEL [-- [ARGS]...]
11
13 Run a new shell in a new context. The new context is derived from the
14 old context in which newrole is originally executed. If the -r or
15 --role option is specified, then the new context will have the role
16 specified by ROLE. If the -t or --type option is specified, then the
17 new context will have the type (domain) specified by TYPE. If a role
18 is specified, but no type is specified, the default type is derived
19 from the specified role. If the -l or --level option is specified,
20 then the new context will have the sensitivity level specified by
21 LEVEL. If LEVEL is a range, the new context will have the sensitivity
22 level and clearance specified by that range. If the -p or --preserve-
23 environment option is specified, the shell with the new SELinux context
24 will preserve environment variables, otherwise a new minimal enviroment
25 is created.
26
27 Additional arguments ARGS may be provided after a -- option, in which
28 case they are supplied to the new shell. In particular, an argument of
29 -- -c will cause the next argument to be treated as a command by most
30 command interpreters.
31
32 If a command argument is specified to newrole and the command name is
33 found in /etc/selinux/newrole_pam.conf, then the pam service name
34 listed in that file for the command will be used rather than the normal
35 newrole pam configuration. This allows for per-command pam configura‐
36 tion when invoked via newrole, e.g. to skip the interactive re-authen‐
37 tication phase.
38
39 The new shell will be the shell specified in the user's entry in the
40 /etc/passwd file.
41
42 The -V or --version shows the current version of newrole
43
45 Changing role:
46 # id -Z
47 staff_u:staff_r:staff_t:SystemLow-SystemHigh
48 # newrole -r sysadm_r
49 # id -Z
50 staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
51
52 Changing sensitivity only:
53 # id -Z
54 staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
55 # newrole -l Secret
56 # id -Z
57 staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
58
59
60 Changing sensitivity and clearance:
61 # id -Z
62 staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
63 # newrole -l Secret-Secret
64 # id -Z
65 staff_u:sysadm_r:sysadm_t:Secret
66
67
68 Running a program in a given role or level:
69 # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
70 # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
71
72
74 /etc/passwd - user account information
75 /etc/shadow - encrypted passwords and age information
76 /etc/selinux/<policy>/contexts/default_type - default types for roles
77 /etc/selinux/<policy>/contexts/securetty_types - securetty types for
78 level changes
79 /etc/selinux/newrole_pam.conf - optional mapping of commands to sepa‐
80 rate pam service names
81
83 runcon (1)
84
86 Anthony Colatrella
87 Tim Fraser
88 Steve Grubb <sgrubb@redhat.com>
89 Darrel Goeddel <DGoeddel@trustedcs.com>
90 Michael Thompson <mcthomps@us.ibm.com>
91 Dan Walsh <dwalsh@redhat.com>
92
93
94
95Security Enhanced Linux October 2000 NEWROLE(1)