1NEWROLE(1)                            NSA                           NEWROLE(1)
2
3
4

NAME

6       newrole - run a shell with a new SELinux role
7

SYNOPSIS

9       newrole  [-r|--role]  ROLE  [-t|--type]  TYPE  [-l|--level]  LEVEL  [--
10       [ARGS]...]
11

DESCRIPTION

13       Run a new shell in a new context.  The new context is derived from  the
14       old  context  in  which  newrole  is originally executed.  If the -r or
15       --role option is specified, then the new context  will  have  the  role
16       specified  by  ROLE.  If the -t or --type option is specified, then the
17       new context will have the type (domain) specified by TYPE.  If  a  role
18       is  specified,  but  no  type is specified, the default type is derived
19       from the specified role.  If the -l or  --level  option  is  specified,
20       then  the  new  context  will  have  the sensitivity level specified by
21       LEVEL.  If LEVEL is a range, the new context will have the  sensitivity
22       level and clearance specified by that range.
23
24       Additional  arguments  ARGS may be provided after a -- option, in which
25       case they are supplied to the new shell.  In particular, an argument of
26       --  -c  will cause the next argument to be treated as a command by most
27       command interpreters.
28
29       If a command argument is specified to newrole and the command  name  is
30       found  in  /etc/selinux/newrole_pam.conf,  then  the  pam  service name
31       listed in that file for the command will be used rather than the normal
32       newrole  pam configuration.  This allows for per-command pam configura‐
33       tion when invoked via newrole, e.g. to skip the interactive  re-authen‐
34       tication phase.
35
36       The  new  shell  will be the shell specified in the user's entry in the
37       /etc/passwd file.
38
39       The -V or --version shows the current version of newrole
40

EXAMPLE

42       Changing role:
43          # id -Z
44          staff_u:staff_r:staff_t:SystemLow-SystemHigh
45          # newrole -r sysadm_r
46          # id -Z
47          staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
48
49       Changing sensitivity only:
50          # id -Z
51          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
52          # newrole -l Secret
53          # id -Z
54          staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
55
56
57       Changing sensitivity and clearance:
58          # id -Z
59          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
60          # newrole -l Secret-Secret
61          # id -Z
62          staff_u:sysadm_r:sysadm_t:Secret
63
64
65       Running a program in a given role or level:
66          # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
67          # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
68
69

FILES

71       /etc/passwd - user account information
72       /etc/shadow - encrypted passwords and age information
73       /etc/selinux/<policy>/contexts/default_type - default types for roles
74       /etc/selinux/<policy>/contexts/securetty_types -  securetty  types  for
75       level changes
76       /etc/selinux/newrole_pam.conf  -  optional mapping of commands to sepa‐
77       rate pam service names
78

SEE ALSO

80       runcon (1)
81

AUTHORS

83       Anthony Colatrella
84       Tim Fraser
85       Steve Grubb <sgrubb@redhat.com>
86       Darrel Goeddel <DGoeddel@trustedcs.com>
87       Michael Thompson <mcthomps@us.ibm.com>
88       Dan Walsh <dwalsh@redhat.com>
89
90
91
92Security Enhanced Linux          October 2000                       NEWROLE(1)