When we confine network facing services, for example, web servers or database servers, we not only focus on the file-based restrictions and process capabilities, but also what network activities the services are allowed to do. Many database servers should not be able to initiate a connection themselves to other systems and, if they do, these connections should be limited to the expected services (like other database services).
The first approach on limiting this is to define what sockets a process is allowed to bind on (as a service) or connect to (as a client). In the majority of cases, the sockets are either TCP sockets or UDP sockets. In SELinux, these are mapped to the tcp_socket
and udp_socket
classes.