As explained in Chapter 6, an SELinux policy consists of 11 elements, several of which are optional:
classes
Defines the security object classes recognized by SELinux.
initial_sids
Defines initial SIDs for important security objects.
access_vectors
Defines access vectors associated with each security object class.
mls
Defines MLS configuration (optional).
te_rbac
Defines type-enforcement and role-based access control configuration.
users
Defines the user configuration.
constraints
Defines constraints that the security policy must observe (optional).
initial_sid_contexts
Defines the security contexts of important security objects.
fs_use
Defines the method of labeling of filesystem inodes.
genfs_contexts
Defines security contexts for filesystems lacking persistent labels (optional).
net_contexts
Defines security contexts for network objects.
The te_rbac element specifies both the role-based access control policies and the type-enforcement policies. Within the element, role-based access control and type-enforcement declarations can be freely intermingled. The following section explains the SELinux type-enforcement declarations.