SELinux Domains and Types

Domains and types form sandboxes for programs and objects. Creation, actions and transitions are important lifecycle steps for domains/types. Unfortunately the difference between both concepts are not clear. SELinux seems to make almost no difference at all.

A user enters a domain because the domain has an associated policy that lets users of a certain role enter the domain. In most cases entry happens through a special program (entry point) in this domain. From then on the domain policy controls actions and transitions.

In case objects are accessed or created, the object creation process is typically governed by the policies of the parent object (directory) and the domain policies.