·

newrole (1) Linux Manual Page

ByLinux Manual Posted on

newrole – run a shell with a new SELinux role

Synopsis

newrole [-r|–role] ROLE [-t|–type] TYPE [-l|–level] [-p|–preserve-environment] LEVEL [– [ARGS]…]

Description

Run a new shell in a new context. The new context is derived from the old context in which newrole is originally executed. If the -r or –role option is specified, then the new context will have the role specified by ROLE. If the -t or –type option is specified, then the new context will have the type (domain) specified by TYPE. If a role is specified, but no type is specified, the default type is derived from the specified role. If the -l or –level option is specified, then the new context will have the sensitivity level specified by LEVEL. If LEVEL is a range, the new context will have the sensitivity level and clearance specified by that range. If the -p or –preserve-environment option is specified, the shell with the new SELinux context will preserve environment variables, otherwise a new minimal enviroment is created.

Additional arguments ARGS may be provided after a — option, in which case they are supplied to the new shell. In particular, an argument of — -c will cause the next argument to be treated as a command by most command interpreters.

If a command argument is specified to newrole and the command name is found in /etc/selinux/newrole_pam.conf, then the pam service name listed in that file for the command will be used rather than the normal newrole pam configuration. This allows for per-command pam configuration when invoked via newrole, e.g. to skip the interactive re-authentication phase.

The new shell will be the shell specified in the user’s entry in the /etc/passwd file.

The -V or –version shows the current version of newrole

Example

Changing role:
id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
newrole -r sysadm_r
id -Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh

Changing sensitivity only:
id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
newrole -l Secret
id -Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh

Changing sensitivity and clearance:
id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
newrole -l Secret-Secret
id -Z
staff_u:sysadm_r:sysadm_t:Secret

Running a program in a given role or level:
newrole -r sysadm_r — -c "/path/to/app arg1 arg2…"
newrole -l Secret — -c "/path/to/app arg1 arg2…"

Files

/etc/passwd – user account information
/etc/shadow – encrypted passwords and age information
/etc/selinux/<policy>/contexts/default_type – default types for roles
/etc/selinux/<policy>/contexts/securetty_types – securetty types for level changes
/etc/selinux/newrole_pam.conf – optional mapping of commands to separate pam service names

See Also

runcon (1)

Authors

Anthony Colatrella

Tim Fraser

Steve Grubb <sgrubb [at] redhat.com>

Darrel Goeddel <DGoeddel [at] trustedcs.com>

Michael Thompson <mcthomps [at] us.ibm.com>

Dan Walsh <dwalsh [at] redhat.com>

Leave a Reply

Your email address will not be published. Required fields are marked *