Running commands in a specified role with runcon

Using sudo is not mandatory. SELinux also provides a command called runcon that allows users to run a command in a different context. Of course, SELinux restrictions still apply—the user must have the proper privileges to execute commands with a different context.

How to do it…

Running a command using a specified role and type is done by completing the following steps:

Identify the domain in which the command should run, usually by checking the executables' context and searching for the entrypoint definition:

~$ ls -Z auditctl
system_u:object_r:auditctl_exec_t    auditctl
~$ sesearch -t auditctl_exec_t -c file -p entrypoint -A
Found 1 semantic av rules:
 allow auditctl_t auditctl_exec_t : file { … entrypoint ...

Get SELinux Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

SELinux Cookbook by Sven Vermeulen

Running commands in a specified role with runcon

How to do it…

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly