Description of problem: The current solutions are rather hacky and involves adding the program to a special user group and blocking that group via iptables. A simple option in the sandbox would be much appreciated in case you are accessing a program you don't trust to access the internet in a malicious way.
The man page says: "The default SELinux policy does not allow any capabilities or network access." I didn't see any documentation on how to allow network access. When I tried testing it I ran into a bug which I will file separately.
You need to run with a different selinux type sandbox -t sandbox_net_t for example. man sandbox ... -t --type Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X. Examples: sandbox_t - No X, No Network Access, No Open, read/write on passed in file descriptors. sandbox_min_t - No Network Access sandbox_x_t - Printer Ports sandbox_web_t - Ports required for web browsing sandbox_net_t - All network ports