Many distros will disable network access in runlevel 2, and most will disable it in runlevel 1, also called "single mode" since only a single root console/shell is started. Add 2 or 1 to the kernel boot line as desired.

I don't know of any turnkey solution. What I would do to have a permissive runlevel and a tightened runlevel, arrange for only the always-on interfaces to be brought up automatically, and explicitly bring up the other interfaces in the tightened runlevel.

• You have 4 configurable runlevels, numbered 2, 3, 4, 5. Depending on your distribution, they may be identical by default or not. Generally, the larger the runlevel number, the more services are active. Let's say we want runlevels 2 and 3 to be permissive and 4 and 5 to be tightened.

• Don't bring up the risky network interfaces automatically. For example, on Debian or Ubuntu, that means /etc/network/interfaces declares the risky network interfaces but has no auto statement for them; and never run Network Manager.

• Write a script /etc/init.d/tightened-mode to switch between permissive mode and tightened mode. Something like (will require fleshing out):

  case $1 in
    start) switch SELinux to tightened mode; ifup eth1; ifup eth2;;
    stop) ifdown eth1; ifdown eth2; switch SELinux to permissive mode;;
  esac
  

• Add symbolic links K88tightened-mode → ../init.d/tightened-mode in /etc/rc2.d and /etc/rc3.d. Add symbolic links S12tightened-mode → ../init.d/tightened-mode in /etc/rc4.d and /etc/rc5.d. The details may vary depending on what init variant you use.

• When you boot, add the desired runlevel number at the end of the kernel command line, e.g.,

  root=/dev/sda1 ro magic=0xf00bar 2