1NEWROLE(1)                            NSA                           NEWROLE(1)
2
3
4

NAME

6       newrole - run a shell with a new SELinux role
7

SYNOPSIS

9       newrole  [-r|--role] ROLE [-t|--type] TYPE [-l|--level] [-p|--preserve-
10       environment] LEVEL [-- [ARGS]...]
11

DESCRIPTION

13       Run a new shell in a new context.  The new context is derived from  the
14       old  context  in  which  newrole  is originally executed.  If the -r or
15       --role option is specified, then the new context  will  have  the  role
16       specified  by  ROLE.  If the -t or --type option is specified, then the
17       new context will have the type (domain) specified by TYPE.  If  a  role
18       is  specified,  but  no  type is specified, the default type is derived
19       from the specified role.  If the -l or  --level  option  is  specified,
20       then  the  new  context  will  have  the sensitivity level specified by
21       LEVEL.  If LEVEL is a range, the new context will have the  sensitivity
22       level  and clearance specified by that range.  If the -p or --preserve-
23       environment option is specified, the shell with the new SELinux context
24       will  preserve  environment variables, otherwise a new minimal environ‐
25       ment is created.
26
27       Additional arguments ARGS may be provided after a -- option,  in  which
28       case they are supplied to the new shell.  In particular, an argument of
29       -- -c will cause the next argument to be treated as a command  by  most
30       command interpreters.
31
32       If  a  command argument is specified to newrole and the command name is
33       found in  /etc/selinux/newrole_pam.conf,  then  the  pam  service  name
34       listed in that file for the command will be used rather than the normal
35       newrole pam configuration.  This allows for per-command pam  configura‐
36       tion  when invoked via newrole, e.g. to skip the interactive re-authen‐
37       tication phase.
38
39       The new shell will be the shell specified in the user's  entry  in  the
40       /etc/passwd file.
41
42       The -V or --version shows the current version of newrole
43

EXAMPLE

45       Changing role:
46          # id -Z
47          staff_u:staff_r:staff_t:SystemLow-SystemHigh
48          # newrole -r sysadm_r
49          # id -Z
50          staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
51
52       Changing sensitivity only:
53          # id -Z
54          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
55          # newrole -l Secret
56          # id -Z
57          staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
58
59
60       Changing sensitivity and clearance:
61          # id -Z
62          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
63          # newrole -l Secret-Secret
64          # id -Z
65          staff_u:sysadm_r:sysadm_t:Secret
66
67
68       Running a program in a given role or level:
69          # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
70          # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
71
72

FILES

74       /etc/passwd - user account information
75       /etc/shadow - encrypted passwords and age information
76       /etc/selinux/<policy>/contexts/default_type - default types for roles
77       /etc/selinux/<policy>/contexts/securetty_types  -  securetty  types for
78       level changes
79       /etc/selinux/newrole_pam.conf - optional mapping of commands  to  sepa‐
80       rate pam service names
81

SEE ALSO

83       runcon(1)
84

AUTHORS

86       Anthony Colatrella
87       Tim Fraser
88       Steve Grubb <sgrubb@redhat.com>
89       Darrel Goeddel <DGoeddel@trustedcs.com>
90       Michael Thompson <mcthomps@us.ibm.com>
91       Dan Walsh <dwalsh@redhat.com>
92
93
94
95Security Enhanced Linux          October 2000                       NEWROLE(1)