2008-08-19 19:30:36 +00:00
|
|
|
.TH NEWROLE "1" "October 2000" "Security Enhanced Linux" NSA
|
|
|
|
.SH NAME
|
|
|
|
newrole \- run a shell with a new SELinux role
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.B newrole
|
|
|
|
[\fB-r\fR|\fB--role\fR]
|
|
|
|
\fIROLE\fR
|
|
|
|
[\fB-t\fR|\fB--type\fR]
|
|
|
|
\fITYPE\fR
|
|
|
|
[\fB-l\fR|\fB--level\fR]
|
|
|
|
\fILEVEL\fR [-- [\fIARGS\fR]...]
|
|
|
|
.SH DESCRIPTION
|
|
|
|
.PP
|
|
|
|
Run a new shell in a new context. The new context is derived from the
|
|
|
|
old context in which
|
|
|
|
.B newrole
|
|
|
|
is originally executed. If the
|
|
|
|
.B -r
|
|
|
|
or
|
|
|
|
.B --role
|
|
|
|
option is specified, then the new context will have the role specified by
|
|
|
|
\fIROLE\fR.
|
|
|
|
If the
|
|
|
|
.B -t
|
|
|
|
or
|
|
|
|
.B --type
|
|
|
|
option is specified, then the new context will have the type (domain)
|
|
|
|
specified by
|
|
|
|
\fITYPE\fR.
|
|
|
|
If a role is specified, but no type is specified, the default type is derived
|
|
|
|
from the specified role. If the
|
|
|
|
.B -l
|
|
|
|
or
|
|
|
|
.B --level
|
|
|
|
option is specified, then the new context will have the sensitivity level
|
|
|
|
specified by
|
|
|
|
\fILEVEL\fR.
|
|
|
|
If
|
|
|
|
\fILEVEL\fR
|
|
|
|
is a range, the new context will have the sensitivity level and clearance
|
|
|
|
specified by that range.
|
|
|
|
.PP
|
|
|
|
Additional arguments
|
|
|
|
.I ARGS
|
|
|
|
may be provided after a -- option,
|
|
|
|
in which case they are supplied to the new shell.
|
2013-05-10 12:45:21 +00:00
|
|
|
In particular, an argument of \-\- \-c will cause the next argument to be
|
2008-08-19 19:30:36 +00:00
|
|
|
treated as a command by most command interpreters.
|
|
|
|
.PP
|
|
|
|
If a command argument is specified to newrole and the command name is found
|
|
|
|
in /etc/selinux/newrole_pam.conf, then the pam service name listed in that
|
|
|
|
file for the command will be used rather than the normal newrole pam
|
|
|
|
configuration. This allows for per-command pam configuration when
|
|
|
|
invoked via newrole, e.g. to skip the interactive re-authentication phase.
|
|
|
|
.PP
|
|
|
|
The new shell will be the shell specified in the user's entry in the
|
|
|
|
.I /etc/passwd
|
|
|
|
file.
|
|
|
|
.PP
|
|
|
|
The
|
|
|
|
.B -V
|
|
|
|
or
|
|
|
|
.B --version
|
|
|
|
shows the current version of newrole
|
|
|
|
.PP
|
|
|
|
.SH EXAMPLE
|
|
|
|
.br
|
|
|
|
Changing role:
|
2013-05-10 12:45:21 +00:00
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:staff_r:staff_t:SystemLow-SystemHigh
|
2013-05-10 12:45:21 +00:00
|
|
|
# newrole \-r sysadm_r
|
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
|
|
|
|
|
|
|
|
Changing sensitivity only:
|
2013-05-10 12:45:21 +00:00
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
|
2013-05-10 12:45:21 +00:00
|
|
|
# newrole \-l Secret
|
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
|
|
|
|
|
|
|
|
.PP
|
|
|
|
Changing sensitivity and clearance:
|
2013-05-10 12:45:21 +00:00
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
|
2013-05-10 12:45:21 +00:00
|
|
|
# newrole \-l Secret-Secret
|
|
|
|
# id \-Z
|
2008-08-19 19:30:36 +00:00
|
|
|
staff_u:sysadm_r:sysadm_t:Secret
|
|
|
|
|
|
|
|
.PP
|
|
|
|
Running a program in a given role or level:
|
2013-05-10 12:45:21 +00:00
|
|
|
# newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..."
|
|
|
|
# newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..."
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
.SH FILES
|
|
|
|
/etc/passwd - user account information
|
|
|
|
.br
|
|
|
|
/etc/shadow - encrypted passwords and age information
|
|
|
|
.br
|
|
|
|
/etc/selinux/<policy>/contexts/default_type - default types for roles
|
|
|
|
.br
|
|
|
|
/etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
|
|
|
|
.br
|
|
|
|
/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names
|
|
|
|
.br
|
|
|
|
.SH SEE ALSO
|
|
|
|
.B runcon
|
|
|
|
(1)
|
|
|
|
.SH AUTHORS
|
|
|
|
.nf
|
|
|
|
Anthony Colatrella
|
|
|
|
Tim Fraser
|
|
|
|
Steve Grubb <sgrubb@redhat.com>
|
|
|
|
Darrel Goeddel <DGoeddel@trustedcs.com>
|
|
|
|
Michael Thompson <mcthomps@us.ibm.com>
|
|
|
|
Dan Walsh <dwalsh@redhat.com>
|