Unix/Linux Go Back    


CentOS 7.0 - man page for newrole (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


NEWROLE(1)				       NSA				       NEWROLE(1)

NAME
       newrole - run a shell with a new SELinux role

SYNOPSIS
       newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level] LEVEL [-- [ARGS]...]

DESCRIPTION
       Run  a  new  shell  in  a new context.  The new context is derived from the old context in
       which newrole is originally executed.  If the -r or --role option is specified,	then  the
       new  context  will  have the role specified by ROLE.  If the -t or --type option is speci-
       fied, then the new context will have the type (domain) specified by TYPE.  If  a  role  is
       specified,  but no type is specified, the default type is derived from the specified role.
       If the -l or --level option is specified, then the new context will have  the  sensitivity
       level  specified by LEVEL.  If LEVEL is a range, the new context will have the sensitivity
       level and clearance specified by that range.

       Additional arguments ARGS may be provided after a -- option, in which case they	are  sup-
       plied  to the new shell.  In particular, an argument of -- -c will cause the next argument
       to be treated as a command by most command interpreters.

       If a command  argument  is  specified  to  newrole  and	the  command  name  is	found  in
       /etc/selinux/newrole_pam.conf,  then the pam service name listed in that file for the com-
       mand will be used rather than the normal newrole pam configuration.  This allows for  per-
       command	pam  configuration  when  invoked  via	newrole, e.g. to skip the interactive re-
       authentication phase.

       The new shell will be the shell specified in the user's entry in the /etc/passwd file.

       The -V or --version shows the current version of newrole

EXAMPLE
       Changing role:
	  # id -Z
	  staff_u:staff_r:staff_t:SystemLow-SystemHigh
	  # newrole -r sysadm_r
	  # id -Z
	  staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh

       Changing sensitivity only:
	  # id -Z
	  staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
	  # newrole -l Secret
	  # id -Z
	  staff_u:sysadm_r:sysadm_t:Secret-SystemHigh

       Changing sensitivity and clearance:
	  # id -Z
	  staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
	  # newrole -l Secret-Secret
	  # id -Z
	  staff_u:sysadm_r:sysadm_t:Secret

       Running a program in a given role or level:
	  # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
	  # newrole -l Secret -- -c "/path/to/app arg1 arg2..."

FILES
       /etc/passwd - user account information
       /etc/shadow - encrypted passwords and age information
       /etc/selinux/<policy>/contexts/default_type - default types for roles
       /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
       /etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names

SEE ALSO
       runcon (1)

AUTHORS
       Anthony Colatrella
       Tim Fraser
       Steve Grubb <sgrubb@redhat.com>
       Darrel Goeddel <DGoeddel@trustedcs.com>
       Michael Thompson <mcthomps@us.ibm.com>
       Dan Walsh <dwalsh@redhat.com>

Security Enhanced Linux 		   October 2000 			       NEWROLE(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 07:20 AM.