Within SELinux, roles and users provide for an RBAC feature. Unlike traditional RBAC mechanisms, in SELinux roles and users build upon the power of type enforcement rather than being an additional type of access control.
Roles are a means of associating sets of domain types into a collection that represents "privileges" that we then assign to a user. Roles control domain transitions because SELinux will create a security context only if the new type is authorized for the role in the security context.
The role declaration statement (role) defines a role identifier and associates it with one or more types. Multiple role statements for the same role can exist within a given policy; the definition of the role is cumulative. Roles can also be declared via the much less used role dominance statement (dominance).
Role allow rules (allow) control whether the role in a security context may change on an execve() system call. The role transition statement (role_transition) causes a role change to occur by default depending on the role of the calling process and the type of the file executed.
SELinux users and Linux users are distinct identifiers. Any association between the two is the result of login process conventions. The general behavior is if the Linux and SELinux user identifier match, the initial user process security context will have the matching user identifier. Otherwise, if the special user user_u is defined in the policy, all nonmatching Linux users will have user_u as the user in their initial process security context. If there is no matching user and user_u is not defined, the user account cannot log in, even in permissive mode.
In SELinux, users provide the means to associate a Linux user with an SELinux role (and by extension with the set of domain types authorized for that role). The user declaration statement (user) specifies this association. SELinux will not create a security context unless the role is associated with the user via a user statement.
