On Sun, Jul 30, 2023 at 5:03 PM Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > > I've been playing with network port types, and I've just discovered that > it appears to be possible to assign more than one type to a network > port (e.g. udp/1900). > > # semanage port -a -t fdf_port_t -p udp 1900 > ValueError: Port udp/1900 already defined > > # semanage port -m -t fdf_port_t -p udp 1900 > > # semanage port -l | grep 1900 > fdf_port_t udp 1900, 3483 > ssdp_port_t tcp 1900 > ssdp_port_t udp 1900 > > And, sure enough, my FDF service is now able to bind to udp/1900. > > I was not previously aware of this feature, and my internet searches > aren't turning up anything about it. I'd just like to confirm that this > is expected behavior (as it just seems really weird). Are there any > caveats to doing this? As far as the kernel is concerned, there can only be one type assigned to a network port, so your new definition is overriding the earlier one. Is the earlier one in a policy module rather than being created via semanage? A potential concern with what you are doing is that any rules written on the earlier type obviously won't be automatically applied to your new type, so anything relying on that behavior will break.
