Provided by: newrole_3.4-1_amd64 bug


       newrole - run a shell with a new SELinux role


       newrole  [-r|--role]  ROLE [-t|--type] TYPE [-l|--level] [-p|--preserve-environment] LEVEL
       [-- [ARGS]...]


       Run a new shell in a new context.  The new context is derived  from  the  old  context  in
       which  newrole  is originally executed.  If the -r or --role option is specified, then the
       new context will have the role  specified  by  ROLE.   If  the  -t  or  --type  option  is
       specified,  then the new context will have the type (domain) specified by TYPE.  If a role
       is specified, but no type is specified, the default type is  derived  from  the  specified
       role.   If  the  -l  or  --level  option  is specified, then the new context will have the
       sensitivity level specified by LEVEL.  If LEVEL is a range, the new context will have  the
       sensitivity  level  and  clearance  specified  by  that  range.   If the -p or --preserve-
       environment option is specified, the shell with the  new  SELinux  context  will  preserve
       environment variables, otherwise a new minimal environment is created.

       Additional  arguments  ARGS  may  be  provided  after  a -- option, in which case they are
       supplied to the new shell.  In particular, an argument  of  --  -c  will  cause  the  next
       argument to be treated as a command by most command interpreters.

       If  a  command  argument  is  specified  to  newrole  and  the  command  name  is found in
       /etc/selinux/newrole_pam.conf, then the pam service name  listed  in  that  file  for  the
       command  will  be  used rather than the normal newrole pam configuration.  This allows for
       per-command pam configuration when invoked via newrole, e.g. to skip the  interactive  re-
       authentication phase.

       The new shell will be the shell specified in the user's entry in the /etc/passwd file.

       The -V or --version shows the current version of newrole


       Changing role:
          # id -Z
          # newrole -r sysadm_r
          # id -Z

       Changing sensitivity only:
          # id -Z
          # newrole -l Secret
          # id -Z

       Changing sensitivity and clearance:
          # id -Z
          # newrole -l Secret-Secret
          # id -Z

       Running a program in a given role or level:
          # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
          # newrole -l Secret -- -c "/path/to/app arg1 arg2..."


       /etc/passwd - user account information
       /etc/shadow - encrypted passwords and age information
       /etc/selinux/<policy>/contexts/default_type - default types for roles
       /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
       /etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names




       Anthony Colatrella
       Tim Fraser
       Steve Grubb <>
       Darrel Goeddel <>
       Michael Thompson <>
       Dan Walsh <>