SELinux by default uses access controls based on the TCP and UDP ports and the sockets that are bound on them. This is configurable through the semanage command. More advanced communication control can be accomplished through Linux netfilter support, using the SECMARK labeling, and through peer labeling.

In case of SECMARK labeling, local firewall rules are used to map contexts to packets, which are then governed through SELinux policy. In case of peer labeling, either the application context itself (in case of labeled IPSec) or its sensitivity level (in case of netfilter/CIPSO support) is used. This allows an almost application-to-application network flow control through SELinux policies.

In the next chapter, we will see how to enhance the SELinux policy ourselves, not only through the SELinux Booleans already available, but also through the creation of additional types (which can be used for the SECMARK labeling), user domains, application policies, and many more.