During the development of additional policies, developers can opt to use a very fine-grained policy model, a domain-per-application model, or a coarse-grained, functionality-based policy model. The relationship between these confinement models is shown in the following diagram:

In very fine-grained policies, multiple domains are defined, so functionally different processes of the same application are all running in their own specialized SELinux domain. A coarse-grained policy, on the other hand, allows to have different applications with a similar functionality run with the same context. Application-level policies are somewhere in the middle: they focus on one domain (or a very small set of domains) for one application.

Most policies are developed using a one domain per application principle. Still, the choice of development patterns in policy development reflects the confinement level of an application, as shared, coarse-grained policies might allow for more interaction between...