The approach with TCP and UDP ports has a few downsides. One of them is that there is no knowledge of the target host, so you cannot govern where a domain can connect to. There is also no way of limiting daemons from binding on any interface: in a multi-homed situation, we might want to make sure that a daemon only binds on the interface facing the internal network and not the Internet-facing one, or vice-versa.
In the past, SELinux allowed support for this binding issue through the interface and node labels: a domain could only be allowed to bind on one interface and not on any other, or even on a particular address (referred to as the node). This support has been deprecated for the regular network access control support because it had a flaw; there was no link between host or interface binding information and the connect or bind permission towards a particular socket.
Consider the example of a web server on a DMZ system. The web server is allowed to receive...