| .TH NEWROLE "1" "October 2000" "Security Enhanced Linux" NSA |
| .SH NAME |
| newrole \- run a shell with a new SELinux role |
| .SH SYNOPSIS |
| .B newrole |
| [\fB-r\fR|\fB--role\fR] |
| \fIROLE\fR |
| [\fB-t\fR|\fB--type\fR] |
| \fITYPE\fR |
| [\fB-l\fR|\fB--level\fR] |
| [\fB-p\fR|\fB--preserve-environment\fR] |
| \fILEVEL\fR [-- [\fIARGS\fR]...] |
| .SH DESCRIPTION |
| .PP |
| Run a new shell in a new context. The new context is derived from the |
| old context in which |
| .B newrole |
| is originally executed. If the |
| .B -r |
| or |
| .B --role |
| option is specified, then the new context will have the role specified by |
| \fIROLE\fR. |
| If the |
| .B -t |
| or |
| .B --type |
| option is specified, then the new context will have the type (domain) |
| specified by |
| \fITYPE\fR. |
| If a role is specified, but no type is specified, the default type is derived |
| from the specified role. If the |
| .B -l |
| or |
| .B --level |
| option is specified, then the new context will have the sensitivity level |
| specified by |
| \fILEVEL\fR. |
| If |
| \fILEVEL\fR |
| is a range, the new context will have the sensitivity level and clearance |
| specified by that range. If the |
| .B -p |
| or |
| .B --preserve-environment |
| option is specified, the shell with the new SELinux context will preserve environment variables, |
| otherwise a new minimal environment is created. |
| .PP |
| Additional arguments |
| .I ARGS |
| may be provided after a -- option, |
| in which case they are supplied to the new shell. |
| In particular, an argument of \-\- \-c will cause the next argument to be |
| treated as a command by most command interpreters. |
| .PP |
| If a command argument is specified to newrole and the command name is found |
| in /etc/selinux/newrole_pam.conf, then the pam service name listed in that |
| file for the command will be used rather than the normal newrole pam |
| configuration. This allows for per-command pam configuration when |
| invoked via newrole, e.g. to skip the interactive re-authentication phase. |
| .PP |
| The new shell will be the shell specified in the user's entry in the |
| .I /etc/passwd |
| file. |
| .PP |
| The |
| .B -V |
| or |
| .B --version |
| shows the current version of newrole |
| .PP |
| .SH EXAMPLE |
| .br |
| Changing role: |
| # id \-Z |
| staff_u:staff_r:staff_t:SystemLow-SystemHigh |
| # newrole \-r sysadm_r |
| # id \-Z |
| staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh |
| |
| Changing sensitivity only: |
| # id \-Z |
| staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh |
| # newrole \-l Secret |
| # id \-Z |
| staff_u:sysadm_r:sysadm_t:Secret-SystemHigh |
| |
| .PP |
| Changing sensitivity and clearance: |
| # id \-Z |
| staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh |
| # newrole \-l Secret-Secret |
| # id \-Z |
| staff_u:sysadm_r:sysadm_t:Secret |
| |
| .PP |
| Running a program in a given role or level: |
| # newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..." |
| # newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..." |
| |
| .SH FILES |
| /etc/passwd - user account information |
| .br |
| /etc/shadow - encrypted passwords and age information |
| .br |
| /etc/selinux/<policy>/contexts/default_type - default types for roles |
| .br |
| /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes |
| .br |
| /etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names |
| .br |
| .SH SEE ALSO |
| .BR runcon (1) |
| .SH AUTHORS |
| .nf |
| Anthony Colatrella |
| Tim Fraser |
| Steve Grubb <[email protected]> |
| Darrel Goeddel <[email protected]> |
| Michael Thompson <[email protected]> |
| Dan Walsh <[email protected]> |
