disallow programs, such as newrole, from transitioning to administrative user domains.
disallow programs and users from transitioning to insmod domain.
prevent all confined domains from loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back