1:{
2:role webmaster_r;
3:user webmaster;
4:allow /var/www/** r,w,s;
}
Line 2 means, configurations between {} is for webmaster_r role.
Line 3 means, user name webmaster can use webmaster_r role.
Following, access rights are given to domain webmaster_t
domain(Remember that webmaster_r role behaves as webmaster_t domain in SELinux system).
Line 4 means, webmaster_t domain(This equals user that logined as
webmaster_r role)is allowed to read, write under /var/www.
Assume all configurations for RBAC are following.
* In sysadm_r.sp
{
role sysadm_r;
user root;
..
}
* In webmaster_r.sp
{
role webmaster_r;
user webmaster
..
}
* In user_r.sp
{
role user_r;
user user_u;
..
}
In above, 3 roles are configured.
You can see, user root and webmaster are assigned role.
In this case user_u is all users except root and webmaster.