Bug 239863

Summary: xen-http-server will not allow remote management; fails to bind to any port
Product: Red Hat Enterprise Linux 4 Reporter: Paul Morgan <pmorgan>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-17 18:04:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Morgan 2007-05-11 19:26:40 UTC 
Description of problem:
xen-http-server does not bind to port 
as specified in /etc/xen/xend-config.sxp


Version-Release number of selected component (if applicable):
rhel 5.0


How reproducible: always

Steps to Reproduce:
1. uncomment existing lines in xend-config*
  (xend-http-server yes)
  (xend-address     192.168.0.something)
  (xend-port        8000)
2. service xend restart
3. netstat -tlpn | grep 8000
  
Actual results:
fails to bind; produces avc denials

Expected results:
xend should run mgmt on specified port

Additional info:
The default targeted selinux policy should be modified.

A workaround can be established as follows:

The default targeted policy does not allow
xen-http-server to bind to any port...
  semanage port -l | grep xen
  ^^^^ shows the only the relocation server is allowed to bind

...additionally, the default xend-config port 8000 cannot be used:
  semanage port -l | grep 8000

...so modify policy on running system:
  semanage port -a -t xen_port_t -p tcp 8001

...now modify xend-config:
  (xend-http-server yes)
  (xend-address     192.168.0.something)
  (xend-port        8001)

...and restart:
  service xend restart
  netstat -tlpn | grep 8001

xen happiness results!
Comment 1 Daniel Berrangé 2007-05-17 18:04:07 UTC 
We don't support use of the xen-http-server at all in RHEL, hence it is not
allowed by the SELinux policy. XenD has *zero* authentication on its HTTP
service, so turning on 'xen-http-server' is quite seriously the same as running
a telnet server with no root password set. If you really want to let anyone own
your machine, then as you documented above,  semanage can be used. This is not
something we will allow for out of the box