Processes are the major abstraction in the process management component. The process object class was defined for this abstraction. When a process is created, it is assigned the SID of its parent. That SID may only be changed when a new program is executed. Unless otherwise specified, the new SID depends on the old SID and the SID of the new program. Since the computation of the new security context may involve policy-specific logic, it must be computed by the security server.
An additional object class, capability, was defined to control the use of Linux capabilities. It is sufficient to only check capability use, but it could also be useful to place controls over their distribution that could augment the current approach . However, at this time that will not be done.