Configure ACL(Access Control List) - Administrative ACL

This form is displayed by clicking the "Administrative ACL" link in the left pane. In this form, some permissions for using system calls that can be used by attackers are listed. The screenshot is shown below.

1 "relabel all files" check-box

You can allow the current domain to relabel all security labels for files. You should  also check "access /selinux".

2 "relabel files that this domain can write-access." check-box

You can allow the current domain to relabel files that it can write-access.

3 "access /selinux" check-box

Access selinuxfs under /selinux.

4 "use setenforce command" check-box

To check this allows the current domain to execute the "avc_toggle" command.

5 "use load_policy command" check-box

To check this allows the current domain to execute the "load_policy" command.

6 "rewrite arp,route table" check-box

To check this allows the current domain to rewrite the arp table and a route table, and use the Promiscous mode. This corresponds to the capability "CAP_NET_ADMIN" in Linux system.

7 "use boot system call" check-box

To check this allows the current domain to use the "reboot" system call. This corresponds to the capability "CAP_SYS_BOOT" in Linux system.

8 "reload kernel module" check-box

To check this allows the current domain to load/unload the kernel modules. This corresponds to the capability "CAP_SYS_MODULE" in Linux system.

9 "use quotaon" check-box

To check this allows examination and configuration of disk quotas for the current domain.

10 "swapon" check-box

To check this allows the current domain to start the swap.

11 "use mount system call" check-box

To check this allows the current domain to execute the "mount" system call.

12 "raw I/O(access /dev/mem etc.)"

To check this allows the current domain to use the "ioperm" and "iopl" system call. This corresponds to the capability "CAP_SYS_RAWIO" in Linux System.

13 "use of ptrace system call" check-box

To check this allows the current domain to use the "ptrace" system call.

14 "use of chroot system call" check-box

To check this allows the current domain to use the "chroot" system call.

15 "Search all directories" check-box

To check this allows the current domain to search all directories.

16 "Read all files" check-box

To check this allows the current domain to read all files.

17 "Write all files" check-box

To check this allows the current domain to write all files.

18 "read/write unlabeled file(This is used to read/write CD or FD.)" check-box

To check this allows the current domain to read and write unlabeled files.

19 "allow everything!" check-box

Allow everything.

19 "apply" button

By clicking this, the inter-configuration files are updated with the changes.