.TH NEWROLE "1" "October 2000" "Security Enhanced Linux" NSA .SH NAME newrole \- run a shell with a new SELinux role .SH SYNOPSIS .B newrole [\fB-r\fR|\fB--role\fR] \fIROLE\fR [\fB-t\fR|\fB--type\fR] \fITYPE\fR [\fB-l\fR|\fB--level\fR] [\fB-p\fR|\fB--preserve-environment\fR] \fILEVEL\fR [-- [\fIARGS\fR]...] .SH DESCRIPTION .PP Run a new shell in a new context. The new context is derived from the old context in which .B newrole is originally executed. If the .B -r or .B --role option is specified, then the new context will have the role specified by \fIROLE\fR. If the .B -t or .B --type option is specified, then the new context will have the type (domain) specified by \fITYPE\fR. If a role is specified, but no type is specified, the default type is derived from the specified role. If the .B -l or .B --level option is specified, then the new context will have the sensitivity level specified by \fILEVEL\fR. If \fILEVEL\fR is a range, the new context will have the sensitivity level and clearance specified by that range. If the .B -p or .B --preserve-environment option is specified, the shell with the new SELinux context will preserve environment variables, otherwise a new minimal environment is created. .PP Additional arguments .I ARGS may be provided after a -- option, in which case they are supplied to the new shell. In particular, an argument of \-\- \-c will cause the next argument to be treated as a command by most command interpreters. .PP If a command argument is specified to newrole and the command name is found in /etc/selinux/newrole_pam.conf, then the pam service name listed in that file for the command will be used rather than the normal newrole pam configuration. This allows for per-command pam configuration when invoked via newrole, e.g. to skip the interactive re-authentication phase. .PP The new shell will be the shell specified in the user's entry in the .I /etc/passwd file. .PP The .B -V or .B --version shows the current version of newrole .PP .SH EXAMPLE .br Changing role: # id \-Z staff_u:staff_r:staff_t:SystemLow-SystemHigh # newrole \-r sysadm_r # id \-Z staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh Changing sensitivity only: # id \-Z staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh # newrole \-l Secret # id \-Z staff_u:sysadm_r:sysadm_t:Secret-SystemHigh .PP Changing sensitivity and clearance: # id \-Z staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh # newrole \-l Secret-Secret # id \-Z staff_u:sysadm_r:sysadm_t:Secret .PP Running a program in a given role or level: # newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..." # newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..." .SH FILES /etc/passwd - user account information .br /etc/shadow - encrypted passwords and age information .br /etc/selinux//contexts/default_type - default types for roles .br /etc/selinux//contexts/securetty_types - securetty types for level changes .br /etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names .br .SH SEE ALSO .BR runcon (1) .SH AUTHORS .nf Anthony Colatrella Tim Fraser Steve Grubb Darrel Goeddel Michael Thompson Dan Walsh