Introduction
Roles provide a flexible, manageable approach to grant multiple users the proper rights. Instead of assigning privileges to individual users, roles are created to which privileges are granted. Users are then granted the role and inherit the privileges associated with this role.
In SELinux, roles are used to grant access to domains. An application domain that is used to manage certificates on a system is assigned to one or more roles, thus allowing users with that role to possibly transition into that application domain. If the user role does not have this privilege, then the necessary permissions to manage certificates through that application domain are not accessible for the user.
The following diagram shows the relation between Linux logins (regular Linux accounts), SELinux users, SELinux roles, and SELinux domains:
To assign roles to users, Linux accounts are first mapped to an SELinux user. An SELinux user defines which roles are accessible (as users can have multiple roles...