context user:role:type:sensitivity(optional) example user_u:user_r:user_t system_u:object_r:lib_t policy allow user_t bin_t:file { execute }; allow user_t user_bin_t:file { execute }; Access controls type enforcement , role-based access control and user-based access control . type enforcement selinux rules are written for it. allow user_t lib_t : file { execute }; access vector contains - the source context (such as user_t ) - the target context (such as lib_t ) - the class of the target (such as file ) - the activity that is invoked (such as execute ) ls /sys/fs/selinux/class ls /sys/fs/selinux/class/file/perms/ ls /sys/fs/selinux/class/tcp_socket/perms/ Role-based access control Roles are like caps that a user can put on. A user is always assigned to a role, but can decide to switch roles.In SELinux, roles decide which types a process context can be in.Types for processes are also called domains user_r, staff_r, sysadm_r, dbadm_r, seinfo -ruser_r -x