NEWROLE(1) NSA NEWROLE(1) NAME newrole - run a shell with a new SELinux role SYNOPSIS newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level] LEVEL [-- [ARGS]...] DESCRIPTION Run a new shell in a new context. The new context is derived from the old context in which newrole is originally executed. If the -r or --role option is specified, then the new context will have the role specified by ROLE. If the -t or --type option is specified, then the new context will have the type (domain) specified by TYPE. If a role is specified, but no type is specified, the default type is derived from the specified role. If the -l or --level option is specified, then the new context will have the sensitivity level specified by LEVEL. If LEVEL is a range, the new context will have the sensitivity level and clearance specified by that range. Additional arguments ARGS may be provided after a -- option, in which case they are supplied to the new shell. In particular, an argument of -- -c will cause the next argument to be treated as a command by most command interpreters. If a command argument is specified to newrole and the command name is found in /etc/selinux/newrole_pam.conf, then the pam service name listed in that file for the command will be used rather than the normal newrole pam configuration. This allows for per-command pam configura tion when invoked via newrole, e.g. to skip the interactive re-authen tication phase. The new shell will be the shell specified in the users entry in the /etc/passwd file. The -V or --version shows the current version of newrole EXAMPLE Changing role: # id -Z staff_u:staff_r:staff_t:SystemLow-SystemHigh # newrole -r sysadm_r # id -Z staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh Changing sensitivity only: # id -Z staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh # newrole -l Secret # id -Z staff_u:sysadm_r:sysadm_t:Secret-SystemHigh Changing sensitivity and clearance: # id -Z staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh # newrole -l Secret-Secret # id -Z staff_u:sysadm_r:sysadm_t:Secret Running a program in a given role or level: # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..." # newrole -l Secret -- -c "/path/to/app arg1 arg2..." FILES /etc/passwd - user account information /etc/shadow - encrypted passwords and age information /etc/selinux//contexts/default_type - default types for roles /etc/selinux//contexts/securetty_types - securetty types for level changes /etc/selinux/newrole_pam.conf - optional mapping of commands to sepa rate pam service names SEE ALSO runcon (1) AUTHORS Anthony Colatrella Tim Fraser Steve Grubb Darrel Goeddel Michael Thompson Dan Walsh Security Enhanced Linux October 2000 NEWROLE(1)