newrole

Start a new shell with a specific SELinux role

$ newrole [[-r|--role]] [role_name]

$ newrole [[-t|--type]] [type_name]

$ newrole [[-l|--level]] [s0-s0:c0.c1023]

$ id [[-Z|--context]]

$ newrole [[-r|--role]] [role_name] [[-t|--type]] [type_name]

newrole [-r role] [-t type] [-l level] [-c command [arg ...]] [-] [--] [args]

-r role
    Specify the target SELinux role to assume for the new session or command.

-t type
    Specify the target SELinux type for the new role's domain. Rarely used directly.

-l level
    Specify the target SELinux sensitivity level (e.g., s0:c0.c0) for MLS/MCS systems.

-c command [arg ...]
    Execute a specific command with the new role's security context. If omitted, a new interactive shell is started.

-
    Resets the environment variables, similar to a login shell, before starting the new shell or command.

--
    Indicates the end of newrole options, allowing subsequent arguments to be passed directly to the command or shell.

args
    Arguments to be passed to the new shell or the specified command.

The newrole command is an essential utility in Security-Enhanced Linux (SELinux) environments. It allows a logged-in user to assume a different SELinux role, thereby changing their security context for the current session. This capability is critical for fine-grained privilege management, enabling users to perform specific tasks with elevated or restricted permissions defined by a particular role. When a user executes newrole, SELinux policy checks if the user is authorized to transition to the specified role. If authorized, a new shell or process is started under the security context of the new role. This provides a secure way to compartmentalize tasks, ensuring that actions are performed with the minimum necessary privileges, enhancing the overall security posture of the system. It is often used by system administrators to temporarily switch to administrative roles to perform maintenance or configuration tasks without logging in as root.

newrole requires that the SELinux policy explicitly authorizes the user to transition to the specified role.
The user might be prompted for their password if PAM is configured for authentication.
It only changes the SELinux context, not the user ID (UID) or group ID (GID).
Its functionality is entirely dependent on an active and correctly configured SELinux system.

The new SELinux context typically consists of user, role, type, and sensitivity level (e.g., unconfined_u:system_r:system_t:s0). newrole primarily focuses on changing the role component, and potentially the type and level, as defined by policy.

newrole often uses Pluggable Authentication Modules (PAM) to authenticate users before allowing them to assume a new role. This means users might be prompted for their password even if they are already logged in, adding an extra layer of security.

The success of newrole depends entirely on the SELinux policy loaded on the system. The policy defines which users can assume which roles and what types are associated with those roles. If the policy does not permit a transition, newrole will fail.

The newrole command is an integral part of the Security-Enhanced Linux (SELinux) project, which originated from the National Security Agency (NSA). It was developed as a mandatory access control (MAC) mechanism to enhance the security of Linux systems. newrole specifically emerged as a utility to facilitate role-based access control (RBAC) within the SELinux framework. Its development parallels the broader integration of SELinux into mainstream Linux distributions, particularly Fedora and Red Hat Enterprise Linux, where it became a standard tool for administrators managing security contexts and user privileges in an SELinux-enabled environment. Its design reflects the need for granular control over processes and resources, allowing users to transition between predefined security roles without altering their actual user ID, thus maintaining a clear separation of duties and improving auditability.

su(1), sudo(8), runcon(1), chcon(1), semanage(8), getcon(1)