8.14 Configuring access control other administrative access rights

8.14.1 allowadm

1. Syntax
   allowadm [relabel]$\mid$[part_relabel]$\mid$[getsecurity]$\mid$[setenforce]$\mid$[load_policy]$\mid$[net]$\mid$[boot] $\mid$[insmod]$\mid$[quotaon]$\mid$[swapon]$\mid$ [mount]$\mid$[raw_io]$\mid$[ptrace]$\mid$[chroot]$\mid$[search]$\mid$ [unlabel]$\mid$ [read] $\mid$ [write] $\mid$ [all];
2. Meaning
   1. relabel
      Allow to relabel all files. You must also allow getsecurity.
   2. part_relabel
      Allow to relabel files that the domain can write. You must also allow getsecurity.
   3. getsecurity
      Allow to get security policy decisions, by accessing /selinux.
   4. setenforce
      Allow to toggle enforcing/permissive mode.
   5. load_policy
      Allow to load policy to kernel.
   6. net
      Allow capability CAP_NET_ADMIN(Such as administrate NIC, route table).
   7. boot
      Allow capabilityCAP_SYS_BOOT. This means allow the usage of reboot system call.
   8. insmod
      Allow capabilityCAP_SYS_MODULE. This means allow to install kernel module.
   9. quotaon
      Allow to quotaon.
   10. swapon
       Allow to swapon.
   11. mount
       Allow to mount device.
   12. raw_io
       Allow capability CAP_SYS_RAWIO.This means usage of ioperm, iopl system call and access to /dev/mem.
   13. ptrace
       Allow to use ptrace.
   14. chroot
       Allow to use chroot.
   15. unlabel
       Allow full access to unlabeled files(Files labeled as unlabeled_t or file_t). This also allows access to unsupported file systems. To see what is unsupported see base_policy/genfs_contexts.
   16. search
       Allow s permission to all files.
   17. read
       Allow r permission to all files.
   18. write
       Allow w permission to all files.
   19. all
       Allows EVERYTHING!!