openSUSE-Dokumentation Chapter 2. Profile Components and Syntax / 2.5. Network Access Control
	2.4. Capability Entries (POSIX.1e)		2.6. Paths and Globbing

Network Access Control

AppArmor allows mediation of network access based on the address type and family. The following illustrates the network access rule syntax:

network [[<domain>][<type>][<protocol>]]

	Supported domains: `inet`, `ax25`, `ipx`, `appletalk`, `netrom`, `bridge`, `x25`, `inet6`, `rose`, `netbeui`, `security`, `key`, `packet`, `ash`, `econet`, `atmsvc`, `sna`, `irda`, `pppox`, `wanpipe`, `bluetooth`
	Supported types: `stream`, `dgram`, `seqpacket`, `rdm`, `raw`, `packet`
	Supported protocols: `tcp`, `udp`, `icmp`

The AppArmor tools support only family and type specification. The AppArmor module emits only network domain type in “access denied” messages. And only these are output by the profile generation tools, both YaST and command line.

The following examples illustrate possible network-related rules to be used in AppArmor profiles. Note that the syntax of the last two are not currently supported by the AppArmor tools.

network,
network inet,
network inet6,
network inet stream,
network inet tcp,
network tcp,

	Allow all networking. No restrictions applied with regards to domain, type, or protocol.
	Allow general use of IPv4 networking.
	Allow general use of IPv6 networking.
	Allow the use of IPv4 TCP networking.
	Allow the use of IPv4 TCP networking, paraphrasing the rule above.
	Allow the use of both IPv4 and IPv6 TCP networking.