RUN_INIT(8) NSA RUN_INIT(8)NAME
run_init - run an init script in the proper SELinux context
SYNOPSIS
run_init SCRIPT [[ARGS]...]
DESCRIPTION
Run a init script under the proper context, which is specified in /etc/selinux/POLICYTYPE/contexts/initrc_context. It is generally used
interactively as it requires either shadow or PAM user authentication (depending on compile-time options). It should be possible to con-
figure PAM such that interactive input is not required. Check your PAM documentation.
FILES
/etc/passwd - user account information
/etc/shadow - encrypted passwords and age information
/etc/selinux/POLICYTYPE/contexts/initrc_context - contains the context to run init scripts under
SEE ALSO
newrole (1), runcon (1)
AUTHORS
Wayne Salamon (wsalamon@tislabs.com)
Dan Walsh (dwalsh@redhat.com)
Security Enhanced Linux May 2003 RUN_INIT(8)
Check Out this Related Man Page
NEWROLE(1) NSA NEWROLE(1)NAME
newrole - run a shell with a new SELinux role
SYNOPSIS
newrole [-r|--role] ROLE [-t|--type] TYPE [-l|--level] LEVEL [-- [ARGS]...]
DESCRIPTION
Run a new shell in a new context. The new context is derived from the old context in which newrole is originally executed. If the -r or
--role option is specified, then the new context will have the role specified by ROLE. If the -t or --type option is specified, then the
new context will have the type (domain) specified by TYPE. If a role is specified, but no type is specified, the default type is derived
from the specified role. If the -l or --level option is specified, then the new context will have the sensitivity level specified by
LEVEL. If LEVEL is a range, the new context will have the sensitivity level and clearance specified by that range.
Additional arguments ARGS may be provided after a -- option, in which case they are supplied to the new shell. In particular, an argument
of -- -c will cause the next argument to be treated as a command by most command interpreters.
If a command argument is specified to newrole and the command name is found in /etc/selinux/newrole_pam.conf, then the pam service name
listed in that file for the command will be used rather than the normal newrole pam configuration. This allows for per-command pam config-
uration when invoked via newrole, e.g. to skip the interactive re-authentication phase.
The new shell will be the shell specified in the user's entry in the /etc/passwd file.
The -V or --version shows the current version of newrole
EXAMPLE
Changing role:
# id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
# newrole -r sysadm_r
# id -Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
Changing sensitivity only:
# id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole -l Secret
# id -Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
Changing sensitivity and clearance:
# id -Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
# newrole -l Secret-Secret
# id -Z
staff_u:sysadm_r:sysadm_t:Secret
Running a program in a given role or level:
# newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
# newrole -l Secret -- -c "/path/to/app arg1 arg2..."
FILES
/etc/passwd - user account information
/etc/shadow - encrypted passwords and age information
/etc/selinux/<policy>/contexts/default_type - default types for roles
/etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names
SEE ALSO
runcon (1)
AUTHORS
Anthony Colatrella
Tim Fraser
Steve Grubb <sgrubb@redhat.com>
Darrel Goeddel <DGoeddel@trustedcs.com>
Michael Thompson <mcthomps@us.ibm.com>
Dan Walsh <dwalsh@redhat.com>
Security Enhanced Linux October 2000 NEWROLE(1)