SELinux users can be associated with one or more SELinux role
user system_u roles system_r; user root roles { user_r sysadm_r };
SELinux roles can be associated with one or more types
role system_r types { kernel_t initrc_t getty_t klogd_t }; role sysadm_r types { sysadm_t run_init_t };
Role allow rule specifies authorised transitions between roles based on a pair of roles
allow system_r { user_r sysadm_r }; allow user_r sysadm_r;
