newrole(1) is a program that allows switching from one security context to another on SELinux systems

• Has the same problem as su(1) but is typically more restricted (depending on the SELinux policy in place)
• SELinux policies can mitigate this problem in various ways
  • Restrictions can be imposed on ptrace(2) use
  • Library uploaded for LD_PRELOAD may not be labeled correctly to execute
  • SELinux supports the idea that policy and mechanism should be separate
    • A policy can be created to completely nullify this type of threat; however, it can be difficult to plug all the holes. Therefore, building a policy from the default-deny standpoint is recommended