This form is displayed by clicking the "Administrative ACL" link in the left pane. In this form, some permissions for using system calls that can be used by attackers are listed. The screenshot is shown below.
You can allow the current domain to relabel all security labels for files. You should also check "access /selinux".
You can allow the current domain to relabel files that it can write-access.
To check this allows the current domain to execute the "avc_toggle" command.
To check this allows the current domain to execute the "load_policy" command.
To check this allows the current domain to rewrite the arp table and a route table, and use the Promiscous mode. This corresponds to the capability "CAP_NET_ADMIN" in Linux system.
To check this allows the current domain to use the "reboot" system call. This corresponds to the capability "CAP_SYS_BOOT" in Linux system.
To check this allows the current domain to load/unload the kernel modules. This corresponds to the capability "CAP_SYS_MODULE" in Linux system.
To check this allows examination and configuration of disk quotas for the current domain.
To check this allows the current domain to start the swap.
To check this allows the current domain to execute the "mount" system call.
To check this allows the current domain to use the "ioperm" and "iopl" system call. This corresponds to the capability "CAP_SYS_RAWIO" in Linux System.
To check this allows the current domain to use the "ptrace" system call.
To check this allows the current domain to use the "chroot" system call.
To check this allows the current domain to search all directories.
To check this allows the current domain to read all files.
To check this allows the current domain to write all files.
To check this allows the current domain to read and write unlabeled files.
Allow everything.
By clicking this, the inter-configuration files are updated with the changes.