SELinux Policy Editor supports a special file named ¡Èdynamic labeled file¡É. The files that are created dynamically by running process are not able to be labeled as the files that exist on filesystem statically. For example, the web server program ¡Èhttpd¡É creates the ¡È/var/run/httpd.pid¡É file at the time of starting. Basically the created file inherits the permissions from the parent directory, and so ¡È/var/run/httpd.pid¡É file inherits permissions from ¡È/var/run¡É directory. In this case, you can¡Çt grant exclusive permissions to the ¡È/var/run/httpd.pid¡É file. So the concept of ¡Ædynamic labeled file¡Ç becomes effective. First you specify that the files created under the ¡È/var/run¡É directory by ¡Èhttpd¡É are the dynamic labeled file. By specifying like this, the system attaches the particular security label to the files created under the ¡È/var/run¡É directory by ¡Èhttpd¡É. The domains that are not allowed to access this particular security label specifically can¡Çt access those files.
Note that the file that a domain can specify as a dynamic labeled file under a directory is only one.