I think you indeed have to declare new network interface types if you want to differentiate between the various network interfaces in targeted policy using network_interface()
The, i think you would have to manually label the interfaces using semanage i think. or maybe the network_interfaces() interface takes care of labelling. Not sure
There is a good example at the very end of corenetwork.te.in, which 'redefines' the 'lo' network interface using the network_interfaces() macro. If I have to use a specific labelling I think I could follow that example (I wasn't sure if 'automatic' relabelling wasn't already done in some other obscure place in the targeted policy, hence my initial query).
By default most domains are allowed to use any network interface. The have access to the netif_type network interface attribute that is assigned to all network interface types (probably via network_interface()
As I understand it (again, by looking at the corenetwork files) specific netif labelling, when defined, is used as an alias of netif_t, which grants access to all applications using the 'generic' type. If that is so and I am correct with that assumption all I need to do is define an alias for a specific net device (as shown in the corenetwork files) - say netif_tun0_t - and use this type in my custom policy to grant access to this device only. All other applications in the policy utilising the generic type (netif_t) should not be affected as the netif_xx_t is an alias of netif_t.
At least that is my understanding of it.
That , i think, probably means that you would have to replace the rules allowing the domain to use all network interfaces by rules that govern more specific access to the various network interface types.
Not if, as is in my case, I am building a new policy, from scratch, for an application which needs access to a specific interface only (tun0) - if all of my assumptions in this post are true, of course.
You can probably test this by auditing grants.
auditallow domain netif_type:netif *; or something along those lines.
try it i would say.
That is pretty useful! I'll give it a go!