I am real concerned about the selinux=0 and enforcing=0 case on newrole. Since newrole is prompting for the users password, and not the root password, we need to be very careful if newrole can change UID.