1.2 How RBAC works in SELinux

How RBAC works is composed of 2 parts, one is assign role to user, second is assign domain to user shell.

1. Assign role
   When user logs in from login programs(login, sshd, gdm), login programs assign role to users. The rule that describes what kind of roles the user is allowed to use, is described in policy. Login programs assign roles referring to policy.For example, if user webmaster is allowed to use webmaster_r role, login program assign webmaster_r to user webmaster.
   
2. Assign domain
   Role is only strings, to confine behavior of user, domain must be given to user shell.
   When user shell is launched domain is given according to role. For example, when user webmaster login as webmaster_r role, webmaster_t domain is given to user shell. webmaster_t domain is configured to be allowed homepage admin works.