filtering outgoing packets with SELinux and iptables

Hi, all: Most of the selinux+iptables guides out there talk about using iptables to label incoming packets, which would then be either allowed or denied by the domain of the application. I want to do it the other way around. Let's say I have a shared web hosting site where every client's application is running inside its own SELinux domain (e.g. httpd_myapp_script_t). I would like to be able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port 443, but not any other IP address. This is actually quite common -- an application may need to make a REST call to some site, but it really has no business talking to any other hosts on the net. I can use standard approach to allow httpd_myapp_script_t to connect to httpd_port_t, but this will allow it to talk to any host at all. How would I write a policy that would label packets going out of httpd_myapp_script_t (e.g. httpd_myapp_packet_t) and then use OUTPUT rules to only allow such packets to go out to 192.168.1.1:443? Has anyone done anything like that? Best, -- Konstantin Ryabitsev LinuxFoundation.org Montréal, Québec