Generally, for each of these object categories one RC type gets defined and assigned to the individual objects, and all existing roles get appropiate type compatibility settings to these types.
As an example, the type
Executables is assigned to the directories /bin and /usr/bin, which
contain executable files. All of these then inherit the effective type
Executables. As soon as the type compatibilities of all roles to
this type are set accordingly, executables are fully protected. Furthermore,
after setting all desired executables to this type, one can safely remove
the execute right to all other types and thus avoid any execution of
unprotected and possibly malicious files.