Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   newrole    ( 1 )

запустить оболочку с новой ролью SELinux (run a shell with a new SELinux role)

Имя (Name)

newrole - run a shell with a new SELinux role

Синопсис (Synopsis)

newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level]
       [-p|--preserve-environment] LEVEL [-- [ARGS]...]

Описание (Description)

Run a new shell in a new context.  The new context is derived
       from the old context in which newrole is originally executed.  If
       the -r or --role option is specified, then the new context will
       have the role specified by ROLE.  If the -t or --type option is
       specified, then the new context will have the type (domain)
       specified by TYPE.  If a role is specified, but no type is
       specified, the default type is derived from the specified role.
       If the -l or --level option is specified, then the new context
       will have the sensitivity level specified by LEVEL.  If LEVEL is
       a range, the new context will have the sensitivity level and
       clearance specified by that range.  If the -p or --preserve-
       environment option is specified, the shell with the new SELinux
       context will preserve environment variables, otherwise a new
       minimal environment is created.


       Additional arguments ARGS may be provided after a -- option, in
       which case they are supplied to the new shell.  In particular, an
       argument of -- -c will cause the next argument to be treated as a
       command by most command interpreters.


       If a command argument is specified to newrole and the command
       name is found in /etc/selinux/newrole_pam.conf, then the pam
       service name listed in that file for the command will be used
       rather than the normal newrole pam configuration.  This allows
       for per-command pam configuration when invoked via newrole, e.g.
       to skip the interactive re-authentication phase.


       The new shell will be the shell specified in the user's entry in
       the /etc/passwd file.


       The -V or --version shows the current version of newrole

Примеры (Examples)

Changing role:
          # id -Z
          staff_u:staff_r:staff_t:SystemLow-SystemHigh
          # newrole -r sysadm_r
          # id -Z
          staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh


       Changing sensitivity only:
          # id -Z
          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
          # newrole -l Secret
          # id -Z
          staff_u:sysadm_r:sysadm_t:Secret-SystemHigh


       Changing sensitivity and clearance:
          # id -Z
          staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
          # newrole -l Secret-Secret
          # id -Z
          staff_u:sysadm_r:sysadm_t:Secret


       Running a program in a given role or level:
          # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
          # newrole -l Secret -- -c "/path/to/app arg1 arg2..."

Файлы (Files)

/etc/passwd - user account information
       /etc/shadow - encrypted passwords and age information
       /etc/selinux/<policy>/contexts/default_type - default types for
       roles
       /etc/selinux/<policy>/contexts/securetty_types - securetty types
       for level changes
       /etc/selinux/newrole_pam.conf - optional mapping of commands to
       separate pam service names

Смотри также (See also)

runcon(1)