SELinux/Networking

SELinux supports multiple networking related access controls. Alongside the TCP and UDP socket support, it also supports packet labeling (through SECMARK) and even peer labeling where the label of a process on one system is reflected in the data communication towards the other system, providing end-to-end policy decisions to be taken.

TCP and UDP socket support
The default access controls for networking by SELinux are based on the labels assigned to TCP and UDP ports and sockets. For instance, the TCP port 80 is labeled with  (and class  ). Access towards this port is then governed through SELinux access controls, such as name_connect and name_bind.

When an application is connecting to a port, the name_connect permission is checked. However, when an application binds to the port, the name_bind permission is checked.