SELinux implements MAC through the use of Type Enforcement (TE), Role Based Access Controls (RBAC), and Multi-Level Security (MLS).
SELinux defines the access and transition rights of every user, application, process, and file on the system.
The SELinux Decision Making Process
When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server’s matrix.
Reference : http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html
SELinux Explained with Examples in Easy Language (computernetworkingnotes.com)
SELinux/Tutorials/Creating your own policy module file – Gentoo Wiki
PowerPoint Presentation (aalto.fi)