selinux/policycoreutils/newrole/newrole.1
Alan Jenkins 62f058980e policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
Fix missing and surplus commas.  Fix the following formatting errors:

    .BR selinux(8)

renders the the "(8)" in bold as well as the "selinux".  This is wrong.

    .B selinux
    (8)

renders with a space between "selinux" and "(8)", this is wrong.

    .B selinux (8)

commits both of the above mistakes.

    .BR selinux (8), apparmor (8)

omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:

    .BR selinux (8),
    .BR apparmor (8)

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:31 -05:00

122 lines
3.2 KiB
Groff

.TH NEWROLE "1" "October 2000" "Security Enhanced Linux" NSA
.SH NAME
newrole \- run a shell with a new SELinux role
.SH SYNOPSIS
.B newrole
[\fB-r\fR|\fB--role\fR]
\fIROLE\fR
[\fB-t\fR|\fB--type\fR]
\fITYPE\fR
[\fB-l\fR|\fB--level\fR]
[\fB-p\fR|\fB--preserve-environment\fR]
\fILEVEL\fR [-- [\fIARGS\fR]...]
.SH DESCRIPTION
.PP
Run a new shell in a new context. The new context is derived from the
old context in which
.B newrole
is originally executed. If the
.B -r
or
.B --role
option is specified, then the new context will have the role specified by
\fIROLE\fR.
If the
.B -t
or
.B --type
option is specified, then the new context will have the type (domain)
specified by
\fITYPE\fR.
If a role is specified, but no type is specified, the default type is derived
from the specified role. If the
.B -l
or
.B --level
option is specified, then the new context will have the sensitivity level
specified by
\fILEVEL\fR.
If
\fILEVEL\fR
is a range, the new context will have the sensitivity level and clearance
specified by that range. If the
.B -p
or
.B --preserve-environment
option is specified, the shell with the new SELinux context will preserve environment variables,
otherwise a new minimal enviroment is created.
.PP
Additional arguments
.I ARGS
may be provided after a -- option,
in which case they are supplied to the new shell.
In particular, an argument of \-\- \-c will cause the next argument to be
treated as a command by most command interpreters.
.PP
If a command argument is specified to newrole and the command name is found
in /etc/selinux/newrole_pam.conf, then the pam service name listed in that
file for the command will be used rather than the normal newrole pam
configuration. This allows for per-command pam configuration when
invoked via newrole, e.g. to skip the interactive re-authentication phase.
.PP
The new shell will be the shell specified in the user's entry in the
.I /etc/passwd
file.
.PP
The
.B -V
or
.B --version
shows the current version of newrole
.PP
.SH EXAMPLE
.br
Changing role:
# id \-Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
# newrole \-r sysadm_r
# id \-Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
Changing sensitivity only:
# id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole \-l Secret
# id \-Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
.PP
Changing sensitivity and clearance:
# id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole \-l Secret-Secret
# id \-Z
staff_u:sysadm_r:sysadm_t:Secret
.PP
Running a program in a given role or level:
# newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..."
# newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..."
.SH FILES
/etc/passwd - user account information
.br
/etc/shadow - encrypted passwords and age information
.br
/etc/selinux/<policy>/contexts/default_type - default types for roles
.br
/etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
.br
/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names
.br
.SH SEE ALSO
.BR runcon (1)
.SH AUTHORS
.nf
Anthony Colatrella
Tim Fraser
Steve Grubb <sgrubb@redhat.com>
Darrel Goeddel <DGoeddel@trustedcs.com>
Michael Thompson <mcthomps@us.ibm.com>
Dan Walsh <dwalsh@redhat.com>