How can I protect SELinux labels from being modified?

I'm running Fedora 23. I have SELinux enabled and enforced. I know that you can change a file's labels with restorecon and chcon (and possibly other programs). This is no doubt an avenue by which a file's security can be bypassed. How can I make it so SELinux labels cannot be changed. [This](https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_SELinux_controls_file_and_directory_accesses) Gentoo documentation page says that SELinux can be used to do that, but it doesn't say how. Fedora's targeted policy provides three particular booleans: + secure_mode — "Do not allow transition to sysadm_t, sudo and su effected" + secure_mode_insmod — "Do not allow any processes to load kernel modules" + secure_mode_policyload — "Do not allow any processes to modify kernel SELinux policy" Does Fedora policy come with some way to prevent user space processes from modifying SELinux labels?