I've found SELinux an interesting but somehow never worked out how it works. Most of my
experience is unexplained permission denied errors. In the comments there is mention of a
program that will tell you when something was denied by SELinux, which is a huge step forward.
I have got as far as labels being strings and files and processes have them, but how exactly
that leads to the controlling of permissions (the magic ingredient) still eludes me.
From recollection I don't think LWN has ever done an SELinux primer, for example.
I've found an 'SELinux for Dummies' and am quite a few articles in, but the magic ingredient
has not yet been revealed... At this point I'm guessing a database of some sort. I'm hoping at
some point some pseudocode will appear that describes exactly how it works.