It is possible to have SELinux automatically switch roles when a certain application is executed. The usual checks still apply (such as if the role is a valid one for the user, does the current user domain have execute rights, and many more), but then, there is no longer a need to call runcon or sudo to switch the role.
Role transitions can be configured as follows:
Identify the executable type on which a role transition has to occur:
~$ ls -Z puppetca system_u:object_r:puppetca_exec_t puppetca
In the SELinux policy, create an interface that includes the role transitions:
interface(`puppet_roletrans_puppetca',` gen_require(` role puppetadm_r; type puppetca_t, puppetca_exec_t; ') allow $1 puppetadm_r; role_transition $1 puppetca_exec_t puppetadm_r; domtrans_pattern($2, puppetca_exec_t, puppetca_t) ')Assign the newly created interface to the user:
puppet_roletrans_puppetca(staff_r, staff_t)