newrole(1) — Linux manual page


NEWROLE(1)                           NSA                          NEWROLE(1)

NAME         top

       newrole - run a shell with a new SELinux role

SYNOPSIS         top

       newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level]
       [-p|--preserve-environment] LEVEL [-- [ARGS]...]

DESCRIPTION         top

       Run a new shell in a new context.  The new context is derived from
       the old context in which newrole is originally executed.  If the -r
       or --role option is specified, then the new context will have the
       role specified by ROLE.  If the -t or --type option is specified,
       then the new context will have the type (domain) specified by TYPE.
       If a role is specified, but no type is specified, the default type is
       derived from the specified role.  If the -l or --level option is
       specified, then the new context will have the sensitivity level
       specified by LEVEL.  If LEVEL is a range, the new context will have
       the sensitivity level and clearance specified by that range.  If the
       -p or --preserve-environment option is specified, the shell with the
       new SELinux context will preserve environment variables, otherwise a
       new minimal environment is created.

       Additional arguments ARGS may be provided after a -- option, in which
       case they are supplied to the new shell.  In particular, an argument
       of -- -c will cause the next argument to be treated as a command by
       most command interpreters.

       If a command argument is specified to newrole and the command name is
       found in /etc/selinux/newrole_pam.conf, then the pam service name
       listed in that file for the command will be used rather than the
       normal newrole pam configuration.  This allows for per-command pam
       configuration when invoked via newrole, e.g. to skip the interactive
       re-authentication phase.

       The new shell will be the shell specified in the user's entry in the
       /etc/passwd file.

       The -V or --version shows the current version of newrole

EXAMPLE         top

       Changing role:
          # id -Z
          # newrole -r sysadm_r
          # id -Z

       Changing sensitivity only:
          # id -Z
          # newrole -l Secret
          # id -Z

       Changing sensitivity and clearance:
          # id -Z
          # newrole -l Secret-Secret
          # id -Z

       Running a program in a given role or level:
          # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
          # newrole -l Secret -- -c "/path/to/app arg1 arg2..."

FILES         top

       /etc/passwd - user account information
       /etc/shadow - encrypted passwords and age information
       /etc/selinux/<policy>/contexts/default_type - default types for roles
       /etc/selinux/<policy>/contexts/securetty_types - securetty types for
       level changes
       /etc/selinux/newrole_pam.conf - optional mapping of commands to
       separate pam service names

SEE ALSO         top


AUTHORS         top

       Anthony Colatrella
       Tim Fraser
       Steve Grubb <>
       Darrel Goeddel <>
       Michael Thompson <>
       Dan Walsh <>

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-08-13.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-08-11.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to

Security Enhanced Linux         October 2000                      NEWROLE(1)

Pages that refer to this page: default_type(5)securetty_types(5)run_init(8)