A use case for building our own policy is to create a custom SECMARK type and make sure that a particular domain is the only domain that is allowed to handle this communication.

The following SELinux rules create an invalid_packet_t type (to match packets that should not be sent out: for example, the PostgreSQL communication that is directed to the Internet rather than the internal network) and an intranet_packet_t type (to match packets being sent to an intranet server):

# cat custom_packets.te 
policy_module(custom_packets, 1.0) 
 
type invalid_packet_t; 
corenet_packet(invalid_packet_t) 
 
type intranet_packet_t; 
corenet_packet(intranet_packet_t) 

With these rules loaded, we can now create SECMARK rules that label packets with invalid_packet_t...