NEWROLE(1) | NSA | NEWROLE(1) |
NAME¶
newrole - run a shell with a new SELinux roleSYNOPSIS¶
newrole [ -r|--role] ROLE [ -t|--type] TYPE [ -l|--level] LEVEL [-- [ARGS]...]DESCRIPTION¶
Run a new shell in a new context. The new context is derived from the old context in which newrole is originally executed. If the -r or --role option is specified, then the new context will have the role specified by ROLE. If the -t or --type option is specified, then the new context will have the type (domain) specified by TYPE. If a role is specified, but no type is specified, the default type is derived from the specified role. If the -l or --level option is specified, then the new context will have the sensitivity level specified by LEVEL. If LEVEL is a range, the new context will have the sensitivity level and clearance specified by that range. Additional arguments ARGS may be provided after a -- option, in which case they are supplied to the new shell. In particular, an argument of -- -c will cause the next argument to be treated as a command by most command interpreters. If a command argument is specified to newrole and the command name is found in /etc/selinux/newrole_pam.conf, then the pam service name listed in that file for the command will be used rather than the normal newrole pam configuration. This allows for per-command pam configuration when invoked via newrole, e.g. to skip the interactive re-authentication phase. The new shell will be the shell specified in the user's entry in the /etc/passwd file. The -V or --version shows the current version of newroleEXAMPLE¶
Changing role:# id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
# newrole -r sysadm_r
# id -Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
# id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole -l Secret
# id -Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
# id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole -l Secret-Secret
# id -Z
staff_u:sysadm_r:sysadm_t:Secret
# newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
# newrole -l Secret -- -c "/path/to/app arg1 arg2..."
FILES¶
/etc/passwd - user account informationSEE ALSO¶
runcon (1)AUTHORS¶
Anthony Colatrella Tim Fraser Steve Grubb <sgrubb@redhat.com> Darrel Goeddel <DGoeddel@trustedcs.com> Michael Thompson <mcthomps@us.ibm.com> Dan Walsh <dwalsh@redhat.com>
October 2000 | Security Enhanced Linux |