Thanks for your answer! So if I combine that with what I have already had to find out myself over the past couple of years, does it boil down to the following?
* a mechanism for controlling which operations which may be performed on which files and devices and what networking operations may be performed (plus a few which I am not aware of) based on the current rights assigned to the executing process.
* a mechanism for adding or removing rights based on user ID, explicit requests from the user and execution of binaries with the equivalent of special capabilities (again, plus a few which I'm not aware of).
* An in-kernel-memory policy database to manage all this.