[xorcist]

That's not the case at all.

The traditional way to filter a program's network traffic with netfilter is to give each software its own uid, which can then be filtered. You will need it anyway to set ulimits and file access rights.

Also avoid to decide policy by process name. Even using full path is problematic (where things like hard links can give nasty surprises). Better to do what SELinux does and tag executables with metadata instead. Any role based system will be much more expressive, but also complex, than a uid based one.