TCP and UDP support
When we confine network facing services, for example, web servers or database servers, we not only focus on the file-based restrictions and process capabilities, but also what network activities the services are allowed to do. Many database servers should not be able to initiate a connection themselves to other systems and, if they do, these connections should be limited to the expected services (like other database services).
The first approach on limiting this is to define what sockets a process is allowed to bind on (as a service) or connect to (as a client). In the majority of cases, the sockets are either TCP sockets or UDP sockets. In SELinux, these are mapped to the tcp_socket and udp_socket classes.
Labeling ports
In order to easily map SELinux domain accesses to the TCP or UDP ports, SELinux allows administrators to label these ports and define which domains can access what ports. When a domain tries to connect or bind to a port, the name_connect or name_bind permissions...
