Role-Based Access Control (RBAC)
To further control access to TE domains SELinux makes use of role-based access control (RBAC). This feature allows SELinux users to be associated to one or more roles, where each role is then associated to one or more domain types as shown in the Role Based Access Control diagram.
The SELinux role name is the second component of a 'security context' and by convention SELinux roles end in '_r', however this is not enforced by any SELinux service (i.e. it is only used to identify the role component), although CIL with namespaces does make identification of a role easier for example a 'role' could be declared as unconfined.role.
It is possible to add constraints and bounds on roles as discussed in the Type Enforcement section.