The standard Linux setup uses Discretionary Access Control (DAC). With this type of mechanism, if users and applications have the necessary privileges, they generally have unlimited access to operating system data and processes. When Mandatory Access Control is implemented, as in SELinux, an administrator uses precisely defined security policies to define additional attributes that determine the conditions and contexts in which a user may access certain operating system processes or files. If the conditions or contexts (i.e. attributes) have not been approved, access is denied.
For the purposes of control in SELinux, the administrator assigns the following labels:
These labels can be assigned for every process and file and then integrated in the defined security policies. For example, an application might only be granted access to folders that have a specific label. The process of checking the security policies is referred to as SELinux enforcement.