SELinux Policy Editor supports a special domain named ¡Èglobal¡É. This domain was supported in order to simplify the security policy definitions and improve the safety in defining the security policy. The security policy defined in the ¡Èglobal¡É domain is inherited by the all other domains and roles. The security policy defined in the ¡Èglobal¡Édomain is absolute, and so all other domains and roles can¡Çt deny this security policy unless this security policy is decontrolled in the each domain and role specifically.
For example, in the case of denying the access to the ¡È/etc/shadow¡É file in the ¡Èglobal¡É domain, even if the read-access to the ¡È/etc¡É directory is allowed in ¡Èhttpd_t¡É domain, ¡Èhttpd_t¡É domain can¡Çt access the ¡È/etc/shadow¡É file. If you want to allow ¡Èhttpd_t¡É domain to access ¡È/etc/shadow¡É file, you have to allow ¡Èhttpd_t¡É domain to access ¡È/etc/shadow¡É. Denying the access to the important objects in ¡Èglobal¡É domain, prevents your mis-defined security policy from allowing to access those important objects.
Using the ¡Èglobal¡É domain is useful to avoid trouble in defining the security policy. ¡È/lib¡É directory has some common library files, and so most programs access to this directory. If you define the security policy about this directory in the ¡Èglobal¡É domain, you need not define the same security policy in the each domain.