The object_r role is a predefined role that is used for objects, since the role field in an object security context is not used in access decisions. Any type can be associated with this role. A role allow rule to this role should never be defined, since a process with this role could potentially enter any domain.
The system_r role is the role of system processes. Any of the TE system domains described in Section 3.4.2 can be associated with this role. The sysadm_t domain is authorized for this role so that init can enter this domain for single-user mode. The fsadm_t, ifconfig_t, and module program domains are also authorized for this role so that initrc_t can execute the corresponding programs.
The user_r role is the role of unprivileged user processes. The initial login domain for this role is the user_t domain. This role is also authorized for a variety of user program domains.
The sysadm_r role is the role of the system administrator. The initial login domain for this role is the sysadm_t domain. This role is also authorized for a variety of user program domains, including domains for ifconfig, fsck, and the module utilities.
These user roles can be entered at login. To support role changes during a login session, a newrole program was created. This program reauthenticates the user to ensure that the role change does not occur without consent by the user. The program transitions to the new role and to the initial login domain associated with that role. This program is run in the newrole_t domain that is authorized for role changes.