More generally, Linux kernel also has similar design.
It manages system resources such as files and networks.
When a user tries to access these resources, he has to invoke system calls.
The kernel has routines to handle system calls, and these routines
invoke SELinux code (via LSM) whether the requires access should be allowed,
SELinux makes its access control decision, and return it into the caller,
then the caller performs according to the decision.
On the model, we call it "security server" which can provide access control
decision independent from the class of subsystems.