Running commands in a specified role with runcon
Using sudo is not mandatory. SELinux also provides a command called runcon that allows users to run a command in a different context. Of course, SELinux restrictions still apply—the user must have the proper privileges to execute commands with a different context.
How to do it…
Running a command using a specified role and type is done by completing the following steps:
Identify the domain in which the command should run, usually by checking the executables' context and searching for the
entrypointdefinition:~$ ls -Z auditctl system_u:object_r:auditctl_exec_t auditctl ~$ sesearch -t auditctl_exec_t -c file -p entrypoint -A Found 1 semantic av rules: allow auditctl_t auditctl_exec_t : file { … entrypoint … };
Call the command, passing along the role and target type:
~$ runcon -r secadm_r -t auditctl_t auditctl -l
How it works…
The runcon application tells SELinux that the invocation of the command should result in a type and role transition...
